CVE-2024-0913

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published Mar 29, 2024

Summary

CVE-2024-0913 is a vulnerability affecting the WP ERP plugin for WordPress, specifically its accounting module. The issue stems from insufficient escaping of user-supplied parameters, namely 'status' and 'customer_id', in the /erp/v1/accounting/v1/transactions/sales REST API endpoint. This flaw allows authenticated attackers with accounting manager or admin privileges to inject additional SQL queries into existing ones, potentially extracting sensitive information from the database. Versions up to and including 1.12.9 are impacted.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/uSJX1a
https://www.cve.org/CVERecord?id=CVE-2024-0913
https://nvd.nist.gov/vuln/detail/CVE-2024-0913

Back to Vulnerability Database

CVE-2024-0913

CVSS 3.1 Score 7.2 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations