A critical security vulnerability has been discovered in the WordPress plugin, TI WooCommerce Wishlist, potentially exposing over 100,000 websites to malicious attacks that allows unauthenticated users to execute arbitrary SQL queries, potentially granting them full control over affected websites.
The flaw, tracked as CVE-2024-43917 with a CVSS score of 9.3, stems from a SQL injection flaw within the plugin’s code. Attackers can exploit this vulnerability to bypass security measures and manipulate the database of the WordPress site, leading to data breaches, defacements, and even complete site takeover.
As of the latest version of the plugin, 2.8.2, the vulnerability remains unpatched, leaving site administrators and owners with limited options to secure their websites.
Customers are strongly recommended to deactivate and delete the plugin immediately. Without a patched version, continuing to use the plugin exposes your site to significant risk, potentially allowing attackers to compromise the database and access sensitive information.
Vulnerability Disclosure Timeline
- 18 July 2024-We found the vulnerability and notified the vendor.
- 22 August 2024-Published the vulnerabilities to the Patchstack vulnerability database (No reply from vendor).
- September 12 2024-Plugin closed by the WP plugin review team
- 25 September 2024-Security advisory article publicly released.
