WordPress Plugin Vulnerabilities

Track Logins <= 1.0 - Admin+ SQL Injection

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Proof of Concept

Affects Plugins

Plugin icon
track-logins
No known fix

References

CVE
CVE-2024-13608

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Francisco Alisson
Submitter
Francisco Alisson
Verified
Yes
WPVDB ID
408e6cad-f02d-455a-9943-32da77537da1

Timeline

Publicly Published
2025-01-27 (about 10 months ago)
Added
2025-01-27 (about 10 months ago)
Last Updated
2025-01-27 (about 10 months ago)

Other

Published
Title
Published
2024-08-07
Title
Docket (WooCommerce Collections / Wishlist / Watchlist) < 1.7.0 - Unauthenticated SQL Injection
Published
2025-04-04
Title
teachPress <= 9.0.11 - Authenticated (Contributor+) SQL Injection
Published
2014-08-01
Title
WP Realty - MySQL Time Based Injection
Published
2024-01-19
Title
Cryptocurrency Widgets – Price Ticker & Coins List 2.0 - 2.6.5 - Unauthenticated SQL Injection
Published
2024-02-27
Title
WP eCommerce <= 3.15.1 - Unauthenticated SQL Injection