CVE-2024-5975
published 2024-07-30CVE-2024-5975: The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action…
PriorityP266critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.96%
77.8th percentile
The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contrive | cz_loan_management | <= 1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The SQL injection is triggered via an AJAX action accessible to unauthenticated users, meaning requests to wp-admin/admin-ajax.php without authentication cookies should be monitored for SQL injection payloads in parameters. ↗
- →Target plugin is CZ Loan Management version <= 1.1; presence of this plugin on a WordPress installation indicates exposure. Monitor for unsanitised parameter values in AJAX requests associated with this plugin. ↗
- ·The vulnerability affects CZ Loan Management plugin through version 1.1 only; ensure version scoping is applied when deploying detections to avoid noise from patched installations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
CZ Loan Management <= 1.1 - SQL Injection
nuclei·CVSS 9.1
CVE-2024-5975 [CRITICAL] CZ Loan Management <= 1.1 - SQL Injection
CZ Loan Management =6"
- 'contains(content_type,"text/html")'
- "status_code == 200"
condition: and
# digest: 4a0a0047304502210081eebe4e7dc68c2ed4e7035cbdcac17d466daf598669ec957bac1e5851353f5b022049cd4c3616ffa4fdfa7f8b956c4bec38937e163db2ed28c911856425fc8ee49f:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2024-07-30
Published