CVE-2024-12025: WordPress Collapsing Categories <= 3.0.8 - SQL Injection
漏洞描述
Collapsing Categories plugin for WordPress <= 3.0.8 contains a sql_injection caused by insufficient escaping of 'taxonomy' parameter in /wp-json/collapsing-categories/v1/get REST API, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'taxonomy' parameter. [已公开] id: CVE-2024-12025 info: name: WordPress Collapsing Categories <= 3.0.8 - SQL Injection author: Shivam Kamboj severity: high description: | Collapsing Categories plugin for WordPress <= 3.0.8 contains a sql_injection caused by insufficient escaping of 'taxonomy' parameter in /wp-json/collapsing-categories/v1/get REST API, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'taxonomy' parameter. impact: | Attackers can execute arbitrary SQL queries, potentially leading to data leakage or database compromise. remediation: | Update to the latest version of the plugin that addresses this vulnerability or apply security patches provided by the vendor. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/collapsing-categories/collapsing-categories-308-unauthenticated-sql-injection - https://nvd.nist.gov/vu
FOFA 语句
暂无
影响范围
WordPress Collapsing Categories
漏洞详情
POC:
已公开
修复建议
暂无