CVE-2024-7607
published 2024-08-29CVE-2024-7607: The Front End Users plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.2.28 due…
PriorityP351high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.54%
41.4th percentile
The Front End Users plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.2.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| etoilewebdesign | front_end_users | < 3.2.29 | 3.2.29 |
| rustaurius | front_end_users | <= 3.2.28 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7xcm-586q-jcgq: The Front End Users plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3
ghsa_unreviewed·2024-08-29
CVE-2024-7607 [HIGH] CWE-89 GHSA-7xcm-586q-jcgq: The Front End Users plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3
The Front End Users plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.2.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Red Hat
kernel: workqueue: Don't call cpumask_test_cpu() with -1 CPU in wq_update_node_max_active()
vendor_redhat·2024-05-01
CVE-2024-27055 kernel: workqueue: Don't call cpumask_test_cpu() with -1 CPU in wq_update_node_max_active()
kernel: workqueue: Don't call cpumask_test_cpu() with -1 CPU in wq_update_node_max_active()
[REJECTED CVE]
Statement: This CVE has been rejected upstream:
https://lore.kernel.org/linux-cve-announce/2025031051-REJECTED-7607@gregkh/
Red Hat has also evaluated this issue and determined that it does not meet the criteria to be classified as a security vulnerability. This assessment is based on the issue not posing a significant security risk, being a result of misconfiguration or usage error, or falling outside the scope of security considerations.
As such, this CVE has been marked as "Rejected" in alignment with Red Hat's vulnerability management policies.
If you have additional information or concerns regarding this determination, please contact Red Hat Product Security for further clarifi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/front-end-only-users/trunk/html/UsersPage.php#L42https://plugins.trac.wordpress.org/browser/front-end-only-users/trunk/html/UsersPage.php#L60https://plugins.trac.wordpress.org/browser/front-end-only-users/trunk/html/UsersPage.php#L63https://plugins.trac.wordpress.org/browser/front-end-only-users/trunk/html/UsersPage.php#L76https://plugins.trac.wordpress.org/changeset/3142978/https://www.wordfence.com/threat-intel/vulnerabilities/id/ec162cdc-d4cd-47d9-b941-24bfee6c48fd?source=cve
2024-08-29
Published