S4E

CVE-2024-3552 Scanner

CVE-2024-3552 scanner - SQL Injection (SQLi) vulnerability in Web Directory Free

SCAN NOW

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 second

Time Interval

4 week

Scan only one

Domain, Ipv4

Toolbox

-

Web Directory Free is a widely used plugin for WordPress that allows users to create and manage web directories. It is commonly employed by website owners to list businesses, services, or resources in an organized manner. The plugin is popular due to its flexibility and user-friendly interface. Small to medium-sized businesses, as well as bloggers, use it to monetize their directories through ads and paid listings. The plugin integrates seamlessly with WordPress, making it a preferred choice for many website administrators.

The SQL Injection vulnerability in Web Directory Free occurs due to improper sanitization and escaping of a parameter in an AJAX action. This flaw allows unauthenticated users to execute arbitrary SQL commands on the database. Attackers can exploit this vulnerability using different SQL Injection techniques such as UNION, Time-Based, and Error-Based injections. The vulnerability poses a critical risk to the integrity and confidentiality of the database.

The vulnerability is found in the w2dc_get_map_marker_info action available via the admin-ajax.php endpoint in the Web Directory Free plugin. This action does not properly sanitize the locations_ids[] parameter, allowing attackers to inject malicious SQL queries. The vulnerability is particularly dangerous because it can be exploited by unauthenticated users, meaning no prior access to the system is needed. Attackers can utilize UNION-based injections to extract data or Time-Based injections to determine the presence of certain conditions within the database.

If exploited, this vulnerability could allow attackers to gain unauthorized access to the WordPress database, potentially leading to data theft, database manipulation, or even complete takeover of the affected WordPress site. The integrity and availability of the data stored in the database could be compromised, leading to severe reputational damage and loss of trust from users.

By using s4e, you can proactively identify and mitigate critical vulnerabilities like the SQL Injection in Web Directory Free. Our platform offers a comprehensive suite of tools that continuously monitor your digital assets, ensuring that you are always aware of potential threats. With timely alerts and detailed reports, you can take action before attackers exploit vulnerabilities. Join our community and enhance your cybersecurity posture with our expert-driven solutions.

References:

Get started to protecting your Free Full Security Scan