WordPress Plugin Vulnerabilities

AI Engine < 2.4.8 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions.

Proof of Concept

Affects Plugins

Plugin icon
ai-engine
Fixed in 2.4.8

References

CVE
CVE-2024-6723

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Karolis Narvilas
Submitter
Karolis Narvilas
Submitter website
https://prisminfosec.com
Verified
Yes
WPVDB ID
fbd2152e-0aa1-4b56-a6a3-2e6ec78e08a5

Timeline

Publicly Published
2024-08-22 (about 1 year ago)
Added
2024-08-22 (about 1 year ago)
Last Updated
2024-08-22 (about 1 year ago)

Other

Published
Title
Published
2024-07-22
Title
ListingPro Plugin <= 2.9.3 - Unauthenticated SQL Injection
Published
2021-07-24
Title
Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection
Published
2024-06-28
Title
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress < 1.2.11 - Unauthenticated SQL Injection via 'uwp_sort_by'
Published
2025-04-07
Title
Team Circle Image Slider With Lightbox < 1.0.5 - Authenticated (Admin+) SQL Injection
Published
2025-03-02
Title
Pods < 3.2.8.2 - Admin+ SQL Injection