WordPress Plugin Vulnerabilities

JSP Store Locator <= 1.0 - Contributor+ SQL Injection

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks.

Proof of Concept

Affects Plugins

Plugin icon
jsp-store-locator
No known fix

References

CVE
CVE-2024-11267

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Régis SENET
Submitter
Régis SENET
Submitter website
https://orhus.fr
Verified
Yes
WPVDB ID
fcbdc11a-a194-46e4-8c22-11010b98fdab

Timeline

Publicly Published
2024-11-10 (about 1 year ago)
Added
2024-12-27 (about 11 months ago)
Last Updated
2024-12-27 (about 11 months ago)

Other

Published
Title
Published
2014-08-01
Title
Wordpress <= 2.3.1 - Charset Remote SQL Injection
Published
2025-06-03
Title
WP Lead Capturing Pages <= 2.3 - Unauthenticated SQL Injection
Published
2025-01-24
Title
SERPed.net < 4.6 - Authenticated (Contributor+) SQL Injection
Published
2025-01-22
Title
Product Table by WBW < 2.1.3 - Unuthenticated SQL Injection
Published
2025-09-22
Title
Perfect Brands for WooCommerce < 3.6.3 - Authenticated (Contributor+) SQL Injection