Stripe Payment Plugin for WooCommerce for WordPress versions up to 3.7.9 contains a sql_injection caused by insufficient escaping and lack of preparation on 'id' parameter, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'id' parameter. [已公开] id: CVE-2024-0705 info: name: Stripe Payment Plugin for WooCommerce <= 3.7.9 - Unauthenticated SQL Injection author: Shivam Kamboj severity: critical description: | Stripe Payment Plugin for WooCommerce for WordPress versions up to 3.7.9 contains a sql_injection caused by insufficient escaping and lack of preparation on 'id' parameter, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'id' parameter. remediation: | Update to the latest version of the plugin, above 3.7.9, to fix the vulnerability. impact: | Attackers can execute arbitrary SQL queries, potentially leading to data disclosure or modification of sensitive database information. reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-0705 - https://www.wordfence.com/threat-intel/vulnerabilities/id/2652a7fc-b610-40f1-8b76-2129f59390ec?source=cve metadata: verified: true max-request: 1 publ

未知