WordPress Plugin Vulnerabilities

Realtyna Organic IDX plugin < 4.14.8 - Unauthenticated SQLi

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Affects Plugins

Plugin icon
real-estate-listing-realtyna-wpl
Fixed in 4.14.8

References

CVE
CVE-2024-32128
URL
https://patchstack.com/database/vulnerability/real-estate-listing-realtyna-wpl/wordpress-realtyna-organic-idx-plugin-wpl-real-estate-plugin-4-14-4-unauthenticated-sql-injection-vulnerability

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Joshua Chan
Verified
No
WPVDB ID
d22a60bc-b9c6-4a26-97cc-8e6ec0a15c1b

Timeline

Publicly Published
2024-04-12 (about 2 years ago)
Added
2024-04-18 (about 2 years ago)
Last Updated
2024-05-23 (about 1 year ago)

Other

Published
Title
Published
2013-01-21
Title
WordPress Poll <= 34.05 - SQL Injection
Published
2015-07-16
Title
Plugmatter Optin Feature Box <= 2.0.13 - Unauthenticated Blind SQL Injection
Published
2021-11-01
Title
myCred < 2.3 - Subscriber+ SQL Injection
Published
2025-12-23
Title
WPBulky < 1.1.14 - Authenticated (Author+) SQL Injection
Published
2025-04-08
Title
Bulk Product Sync < 9.0 - Unauthenticated SQL Injection