WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction. [已公开] id: CVE-2024-30502 info: name: WP Travel Engine <= 5.7.9 - SQL Injection author: Shivam Kamboj severity: critical description: | WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction. impact: | Attackers can execute arbitrary SQL queries, potentially leading to data theft, modification, or deletion. remediation: | Update to the latest version of WP Travel Engine. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-travel-engine/wp-travel-engine-579-unauthenticated-sql-injection - https://patchstack.com/database/wordpress/plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-5-7-9-unauth-blind-sql-injection-vulnerability - https://plugins.trac.wordpress.org/changeset?old_path=/wp-travel-engine/tags/5.7.9&new_path=/wp-travel-engine/tags/5.8.0

WP Travel Engine

POC: 已公开