CVE-2024-3342 – The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to SQL …

27 April 2024

Vuln ID: CVE-2024-3342

Published: 2024-04-27 09:15:09.093

Description: The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to SQL Injection via the ‘events’ attribute of the ‘mp-timetable’ shortcode in all versions up to, and including, 2.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Base Score: 9.9 – CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Source: NVD.NIST.GOV

Date:

27 April 2024

Categorie(s):

NVD

Tag(s):

NVD

Cancer patients’ sensitive information accessed by “unidentified parties” after being left exposed by screening lab for years9 May 2024
DocGo patient health data stolen in cyberattack9 May 2024
Cybersecurity Festival 2024: Four ways to cut your cyber insurance premiums9 May 2024
SocGholish Attacks Enterprises Via Fake Browser Updates9 May 2024
The Future of Phishing Email Training for Employees in Cybersecurity9 May 2024