CVE-2024-2387

Vulnerability

The Advanced Form Integration plugin for WordPress, versions up to and including 1.82.0, contains a SQL injection vulnerability in the integration_id parameter. Insufficient escaping and lack of prepared statements allow an attacker to inject arbitrary SQL queries into the existing query [1][2].

Exploitation

An unauthenticated attacker can send a crafted HTTP request with a malicious integration_id parameter to append additional SQL commands. The injected SQL can be used to insert arbitrary web scripts into the database, which may be executed when an administrator views the log table page. Successful exploitation requires the attacker to trick an administrator into interacting with a link (e.g., clicking on a crafted URL) [1][2].

Impact

An attacker can execute arbitrary SQL queries, leading to data exfiltration or modification. Additionally, stored cross-site scripting (XSS) is possible, allowing the attacker to execute malicious scripts in the context of the admin area, potentially leading to session hijacking or unauthorized actions.

Mitigation

The vendor has released version 1.83.0 that addresses this vulnerability. Users are strongly advised to update to the latest version. No workarounds are available.