CVE-2024-8484 Scanner
CVE-2024-8484 scanner - SQL Injection vulnerability in REST API TO MiniProgram
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
27 days 13 hours
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
The REST API TO MiniProgram is a WordPress plugin primarily used by developers and administrators to integrate WordPress with various mini-programs, including mobile and web apps. It helps connect content and comments between platforms in a streamlined way. Designed for WordPress environments, this plugin eases API management, especially for comment functionalities. Web developers, particularly those managing multiple content platforms, use it widely. Its flexibility in handling user-generated content makes it popular across dynamic websites.
This SQL Injection vulnerability arises from insufficient input validation on the 'order' parameter in the plugin's REST API endpoint /wp-json/watch-life-net/v1/comment/getcomments. This weakness allows attackers to execute arbitrary SQL commands, enabling them to manipulate or retrieve sensitive database information. Since this endpoint can be accessed without authentication, the vulnerability exposes critical data. The issue impacts all versions up to 4.7.1, requiring administrators to take immediate action.
The REST API TO MiniProgram plugin lacks proper validation and escaping mechanisms for user-supplied input on the 'order' parameter. This parameter is susceptible to SQL Injection attacks, allowing attackers to append additional SQL commands. Exploiting this flaw on the /wp-json/watch-life-net/v1/comment/getcomments endpoint permits the extraction of sensitive data from the WordPress database. The vulnerability lies in the failure to use secure SQL query functions, which enables unauthenticated attackers to manipulate existing queries. Malicious payloads such as SLEEP() can be executed to verify the vulnerability and demonstrate control over the database.
Exploitation of this vulnerability allows attackers unauthorized access to the database, potentially leading to data leakage, unauthorized data retrieval, or alteration. Sensitive user information, including credentials and PII, could be exposed. In extreme cases, it may facilitate further attacks on the server or compromise the integrity of website data. The SQL Injection vulnerability also increases the risk of service disruptions.
By using S4E's comprehensive vulnerability management tools, organizations can secure their online assets against threats like SQL Injection effectively. The platform offers easy-to-follow guidance and automated alerts, making it simple to identify and resolve issues promptly. Members gain access to an extensive knowledge base and support, keeping them informed and secure. Protect your website and user data with advanced, reliable detection and dedicated resources. S4E provides a user-friendly solution that combines robust protection with actionable insights.
References:
- https://github.com/RandomRobbieBF/CVE-2024-8484
- https://www.usom.gov.tr/bildirim/tr-24-1528
- https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-comments-controller.php#L247
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6e0945eb-ceec-4536-822a-fe864c21b580?source=cve
- https://nvd.nist.gov/vuln/detail/CVE-2024-8484
