WordPress ListingPro plugin <= 2.9.10 - SQL Injection vulnerability

Vulnerability

The ListingPro WordPress plugin, versions 2.9.10 and earlier, contains an unauthenticated SQL injection vulnerability. This flaw resides in an unspecified input parameter that is processed without proper sanitization, allowing an attacker to inject arbitrary SQL statements. The vulnerability is reachable without any authentication, making it accessible to any remote attacker.

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests containing malicious SQL payloads to the vulnerable endpoint. No prior authentication or user interaction is required. Due to the ease of exploitation and lack of authentication, this vulnerability is expected to be used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

Impact

Successful exploitation allows an attacker to directly interact with the underlying database, enabling data exfiltration, modification, or deletion. The CVSS score of 9.3 reflects the critical severity, as the attacker can steal sensitive information such as user credentials, personal data, or site configurations [1].

Mitigation

The vulnerability is fixed in version 2.9.11 of the ListingPro plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule that blocks attacks until a patch is applied [1].