Critical Information Disclosure Vulnerabilities in WordPress (CVE-2024-6928, CVE-2024-6924)

Advisory No: TZCERT/SA/2024/08/15-2

Date of First Release: 15^th August 2024

Source: Wordfence

Software Affected: opti-marketing, truebooker-appointment-booking

Overview:

WordPress is vulnerable to two critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to extract sensitive information.

Description:

WordPress plugins opti-marketing and truebooker-appointment-booking are affected by the vulnerabilities tracked as CVE-2024-6928 and CVE-2024-6924 with CVSS score of 10. The plugins are vulnerable to PHP Code Injection due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, and due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. Remote attackers can exploit the vulnerabilities to extract sensitive information from the database.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to gain access to sensitive information.

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/opti-marketing/opti-marketing-209-unauthenticated-sql-injection
2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/truebooker-appointment-booking/truebooker-102-unauthenticated-sql-injection