CVE-2024-9130

Summary

CVE-2024-9130 is a high-severity vulnerability affecting the GiveWP Donation Plugin and Fundraising Platform for WordPress, specifically in all versions up to 3.16.1, due to time-based SQL Injection via the ‘order’ parameter. This flaw arises from inadequate escaping of user-supplied input and insufficient preparation of SQL queries, enabling authenticated attackers with GiveWP Manager-level access to inject additional SQL queries in Legacy View mode, which could lead to unauthorized data extraction from the database. To remediate this vulnerability, users are advised to update the plugin to the latest version where this issue has been addressed. The potential risks include significant confidentiality and integrity impacts, making sensitive information highly vulnerable if exploited. Given its low attack complexity and high privileges required for exploitation, organizations utilizing affected versions should prioritize immediate updates and review security measures.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.