CVE-2024-11939

The Cost Calculator Builder PRO WordPress plugin versions up to and including 3.2.15 are vulnerable to blind time-based SQL injection. The flaw resides in insufficient escaping of the ‘data’ parameter combined with a lack of prepared statements in the existing SQL query, enabling an attacker to manipulate the query structure [1].

As a time-based blind SQL injection, exploitation does not require authentication. An attacker can send crafted payloads through the ‘data’ parameter and observe database response delays to infer information. The unauthenticated nature and common attack vectors (e.g., HTTP requests to plugin endpoints) lower the barrier to exploitation [1].

Successful exploitation allows an unauthenticated attacker to extract sensitive information from the underlying database, potentially including usernames, hashed passwords, and other confidential data stored by the WordPress installation. This could lead to further compromise of the site [1].

The issue has been addressed in version 3.2.16 of the plugin. Users are strongly advised to update to this patched release or later to mitigate the risk [1]. The vendor changelog notes the fix under version 3.2.16 [1].