CVE-2024-0594 — SQL Injection in Awesome Support Wordpress Helpdesk Support Plugin

CWE-89 — SQL Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 51.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Awesomesupport Awesome Support Wordpress Helpdesk Support Plugin Getawesomesupport Awesome Support

Timeline

PublishedFeb 10

Description

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the wpas_get_users action in all versions up to, and including, 6.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that c…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5awesomesupport/awesome_support_wordpress_helpdesk_support_plugin6.1.7

▶NVDgetawesomesupport/awesome_support6.1.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-48qf-jjwf-7c3j: The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the↗2024-02-10

▶

CVEList

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 - Authenticated (Subscriber+) SQL Injection↗2024-02-10

▶