WordPress Plugin Vulnerabilities

AHAthat Plugin <= 1.6 - Admin+ SQL Injection

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.

Proof of Concept

Affects Plugins

Plugin icon
ahathat
No known fix

References

CVE
CVE-2024-11269

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Régis SENET
Submitter
Régis SENET
Submitter website
https://orhus.fr
Verified
Yes
WPVDB ID
3ad89687-adb0-4c45-938c-0c18fda7f36f

Timeline

Publicly Published
2024-11-11 (about 1 year ago)
Added
2024-12-27 (about 1 year ago)
Last Updated
2024-12-27 (about 1 year ago)

Other

Published
Title
Published
2025-07-24
Title
WooCommerce Point Of Sale (POS) <= 1.4 - Authenticated (Subscriber+) SQL Injection
Published
2024-08-19
Title
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) SQL Injection via getLogHistory Function
Published
2025-05-07
Title
PDF Invoices for WooCommerce + Drag and Drop Template Builder < 5.4.0 - Authenticated (Administrator+) SQL Injection
Published
2025-06-24
Title
GG Bought Together for WooCommerce <= 1.0.2 - Unauthenticated SQL Injection
Published
2025-04-09
Title
Accessibility Suite by Online ADA < 4.19 - Authenticated (Subscriber+) SQL Injection