CVE-2024-43917
published 2024-08-29CVE-2024-43917: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows SQL…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
21.77%
97.3th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows SQL Injection.This issue affects TI WooCommerce Wishlist: from n/a through 2.8.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| templateinvaders | ti_woocommerce_wishlist | <= 2.8.2 | — |
| templateinvaders | ti_woocommerce_wishlist | n/a – 2.8.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
title: WordPress TI WooCommerce Wishlist SQLi condition: contains(uri, 'admin-ajax.php') and contains(content_type, 'application/json') and contains(body, 'product_id')
- →The vulnerability is unauthenticated, so no session/auth cookie is required — monitor for SQLi payloads in requests to admin-ajax.php containing 'product_id' in a JSON body. ↗
- →Detection rule targets HTTP requests where content-type is 'application/json' AND the body contains the string 'product_id', correlated with the WordPress AJAX endpoint.
- →A Metasploit auxiliary scanner module exists for this CVE, meaning automated exploitation is trivial; prioritize detection of scanner-style repeated AJAX requests. ↗
- ·Vulnerability affects TI WooCommerce Wishlist versions up to and including 2.8.2 only; versions above 2.8.2 are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cfvh-qp4v-2hqc: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows
ghsa_unreviewed·2024-08-29
CVE-2024-43917 [CRITICAL] CWE-89 GHSA-cfvh-qp4v-2hqc: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows SQL Injection.This issue affects TI WooCommerce Wishlist: from n/a through 2.8.2.
VulnCheck
templateinvaders ti_woocommerce_wishlist Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2024·CVSS 9.3
CVE-2024-43917 [CRITICAL] templateinvaders ti_woocommerce_wishlist Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
templateinvaders ti_woocommerce_wishlist Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows SQL Injection.This issue affects TI WooCommerce Wishlist: from n/a through 2.8.2.
Affected: templateinvaders ti_woocommerce_wishlist
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/ti-woocommerce-wishlist/wordpress-ti-woocommerce-wishlist-plugin-2-8-2-sql-injection-vulnerability
Exploit PoC: https://vulncheck.com/xdb/63d4ae92afa9; https:/
No detection rules found.
Metasploit
WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)
metasploit·CVSS 9.8
CVE-2024-43917 [CRITICAL] WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)
WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)
The TI WooCommerce Wishlist plugin <= 2.8.2 is vulnerable to an unauthenticated SQL injection, allowing attackers to retrieve sensitive information.
Nuclei
WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 - SQL Injection
nuclei·CVSS 9.8
CVE-2024-43917 [CRITICAL] WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 - SQL Injection
WordPress TI WooCommerce Wishlist Plugin =6"
- "contains(content_type, 'application/json')"
- "contains(body, 'product_id')"
condition: and
# digest: 490a0046304402201a3106e7f12fcba286630d5bdf6debeeee5fd46331dcfe7b24593617bd7701ad02200c288426bce48cf48aeca12d6d8afdd356db389d219873d0d9b142088e33688e:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2024-08-29
Published
Exploited in the wild