cbcvebase.
CVE-2024-6928
published 2024-09-08

CVE-2024-6928: The Opti Marketing WordPress plugin through 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.29%
86.9th percentile
The Opti Marketing WordPress plugin through 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
opti.marketingopti_marketing<= 2.0.9

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
snort
alert http any any -> any any (msg:"CVE-2024-6928 Opti Marketing WordPress SQLi"; flow:to_server,established; content:"POST"; http_method; content:"/wp-admin/admin-ajax.php"; http_uri; content:"action="; http_client_body; pcre:"/['\"%20]+(union|select|insert|update|delete|drop|--)/Pi"; sid:20246928; rev:1;)
  • The SQL injection is triggered via an unauthenticated AJAX action — monitor POST requests to /wp-admin/admin-ajax.php from unauthenticated sessions (no valid WordPress auth cookies) containing SQL metacharacters or keywords in body parameters.
  • The nuclei template targets HTTP 200 responses specifically — a successful blind/error-based SQLi probe returning HTTP 200 from admin-ajax.php against the Opti Marketing plugin should be treated as a confirmed hit.
  • The plugin version range affected is up to and including 2.0.9 — fingerprint installed plugin version via /wp-content/plugins/opti-marketing/readme.txt or similar to identify vulnerable installations.
  • ·The nuclei template digest/signature is present but the source URL for the template is blank — the template provenance cannot be fully verified from the provided sources.
  • ·The specific AJAX action name (the `action=` parameter value) used by the vulnerable Opti Marketing plugin endpoint is not disclosed in the available sources — detections based solely on admin-ajax.php may produce false positives without the exact action name.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.