cbcvebase.
CVE-2024-32709
published 2024-04-24

CVE-2024-32709: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall…

PriorityP269critical9.3CVSS 3.1
AVNACLPRNUINSCCHINAL
EXPLOIT
EPSS
5.85%
92.3th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.5.

Affected

1 ranges
VendorProductVersion rangeFixed in
plechev_andreywp-recalln/a – 16.26.5

Detection & IOCsextracted from sources · hover to see the quote

url/account/?user=1&tab=groups&group-name=p%27+or+%27%%27=%27%%27+union+all+select+1,2,3,4,5,6,7,8,9,10,11,concat(%22Database:%22,md5({{num}}),0x7c,%20%22Version:%22,version()),13--+-
path/wp-content/plugins/wp-recall/
  • Detect exploitation attempts by monitoring HTTP GET requests to /account/ with parameters 'tab=groups' and 'group-name' containing SQL injection payloads (e.g., UNION SELECT, OR conditions with wildcards, and SQL comment sequences '--').
  • The vulnerability is exploitable by unauthenticated attackers; no session cookie or authentication token is required in the request.
  • Confirm exploitation by checking HTTP 200 responses whose body contains the MD5 hash of the injected numeric value (e.g., md5(999999999)), indicating successful UNION-based SQL data exfiltration.
  • Presence of the WP-Recall plugin directory can be fingerprinted via PublicWWW or HTTP response bodies referencing '/wp-content/plugins/wp-recall/' to identify potentially vulnerable targets.
  • ·The vulnerability affects all WP-Recall versions up to and including 16.26.5; version 16.26.6 and later are patched.
  • ·The SQL injection is triggered via the 'group-name' GET parameter on the /account/ endpoint; insufficient escaping and lack of prepared statements are the root cause.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.