CVE-2024-0685

Summary

CVE-2024-0685 is a SQL Injection vulnerability affecting the Ninja Forms Contact Form plugin for WordPress, versions up to 3.7.1. Attackers can exploit this issue by submitting malicious SQL code through the email address field in forms. The plugin fails to properly escape user-supplied data and prepare SQL queries, enabling attackers to append their SQL injection payloads to the existing queries. Consequently, unauthenticated attackers can manipulate the database and potentially gain sensitive information or take control of the affected WordPress site. Site administrators should immediately update to the latest version of the plugin to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.