CVE-2024-3342 — SQL Injection in Timetable AND Event Schedule BY Motopress

CWE-89 — SQL Injection CWE-393 — Return of Wrong Status Code4 documents4 sources

Severity

9.9CRITICALNVD

EPSS

0.3%

top 45.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jetmonsters Timetable AND Event Schedule BY Motopress

Timeline

PublishedApr 27

Latest updateAug 17

Description

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to SQL Injection via the 'events' attribute of the 'mp-timetable' shortcode in all versions up to, and including, 2.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages1 packages

▶CVEListV5jetmonsters/timetable_and_event_schedule_by_motopress2.4.11

🔴Vulnerability Details

GHSA

GHSA-pw3q-4wqj-24pp: The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to SQL Injection via the 'events' attribute of the 'mp-timetable' sho↗2024-04-27

▶

CVEList

Timetable and Event Schedule by MotoPress <= 2.4.11 - Authenticated (Contributor+) SQL Injection↗2024-04-27

▶

📋Vendor Advisories

Red Hat

kernel: f2fs: fix return value of f2fs_convert_inline_inode()↗2024-08-17

▶