CVE-2024-8855

CriticalPublic PoC

Published: 07 January 2025

Published

07 January 2025

Modified

14 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing editors and above to perform SQL injection attacks

Security Summary

CVE-2024-8855 is a SQL injection vulnerability (CWE-89) affecting the WordPress Auction Plugin for WordPress through version 3.7. The plugin fails to sanitize and escape a parameter before incorporating it into a SQL statement, enabling injection attacks. It received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and potential for high impacts on confidentiality, integrity, and availability.

The vulnerability allows editors and above to perform SQL injection attacks. Despite the description specifying authenticated users at editor level or higher, the CVSS vector assesses it as exploitable with no privileges required (PR:N), suggesting remote attackers could potentially execute arbitrary SQL queries over the network without user interaction.

For mitigation details, refer to the WPScan advisory at https://wpscan.com/vulnerability/04084f2a-45b8-4249-a472-f156fad0c90a/.

Details

CWE(s): CWE-89

Affected Products

wpmarka

wordpress auction

≤ 3.7

References

https://wpscan.com/vulnerability/04084f2a-45b8-4249-a472-f156fad0c90a/
Exploit, Third Party Advisory · contact@wpscan.com