cbcvebase.
CVE-2024-5975
published 2024-07-30

CVE-2024-5975: The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action…

PriorityP266critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.96%
77.8th percentile
The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Affected

1 ranges
VendorProductVersion rangeFixed in
contrivecz_loan_management<= 1.1

Detection & IOCsextracted from sources · hover to see the quote

  • The SQL injection is triggered via an AJAX action accessible to unauthenticated users, meaning requests to wp-admin/admin-ajax.php without authentication cookies should be monitored for SQL injection payloads in parameters.
  • Target plugin is CZ Loan Management version <= 1.1; presence of this plugin on a WordPress installation indicates exposure. Monitor for unsanitised parameter values in AJAX requests associated with this plugin.
  • ·The vulnerability affects CZ Loan Management plugin through version 1.1 only; ensure version scoping is applied when deploying detections to avoid noise from patched installations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.