CVE-2024-6924
published 2024-09-08CVE-2024-6924: The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.29%
87.0th percentile
The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themetechmount | truebooker | <= 1.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The SQL injection is reachable via an AJAX action available to unauthenticated users — monitor WordPress AJAX endpoints (wp-admin/admin-ajax.php) for unsanitised parameter values from unauthenticated requests targeting TrueBooker plugin actions. ↗
- →Versions of TrueBooker WordPress plugin before 1.0.3 are vulnerable; flag installations running versions < 1.0.3. ↗
- ·The Sigma rule digest/signature provided in the source should be validated against the canonical rule repository before operational deployment, as the rule body appears incomplete in the source material.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
TrueBooker <= 1.0.2 - SQL Injection
nuclei·CVSS 9.8
CVE-2024-6924 [CRITICAL] TrueBooker <= 1.0.2 - SQL Injection
TrueBooker =6'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022063f063d8d17640b20b6955ec811012f321a7a417f8827a8a7baeaf17c264cf33022100d2dc54fd0515b792481c24c61d6376c3a358ea4fbf6be3cd4ff2c8ff0340a7f8:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2024-09-08
Published