Overview

WordPress is vulnerable to two critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to extract sensitive information.

Description

WordPress plugins opti-marketing and truebooker-appointment-booking are affected by the vulnerabilities tracked as CVE-2024-6928 and CVE-2024-6924 with CVSS score of 10. The plugins are vulnerable to PHP Code Injection due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, and due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. Remote attackers can exploit the vulnerabilities to extract sensitive information from the database.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to gain access to sensitive information.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/opti-marketing/opti-marketing-209-unauthenticated-sql-injection
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/truebooker-appointment-booking/truebooker-102-unauthenticated-sql-injection