CVE-2024-43917 (CVSS 9.3): Unpatched SQLi Flaw in TI WooCommerce Wishlist Threatens 100,000+ Sites

TI WooCommerce Wishlist - CVE-2024-43917

A critical security vulnerability has been discovered in the widely-used WordPress plugin, TI WooCommerce Wishlist, potentially exposing over 100,000 websites to malicious attacks. The flaw, tracked as CVE-2024-43917 with a CVSS score of 9.3, allows unauthenticated users to execute arbitrary SQL queries, potentially granting them full control over affected websites.

The vulnerability stems from a SQL injection flaw within the plugin’s code. Attackers can exploit this vulnerability to bypass security measures and manipulate the database of the WordPress site, leading to data breaches, defacements, and even complete site takeover.

As of the latest version of the plugin, 2.8.2, the vulnerability remains unpatched, leaving site administrators and owners with limited options to secure their websites. In the meantime, Ananda Dhakal from Patchstack has published the technical details surrounding this flaw, which further highlights its severity and the urgent need for action.

If you are using the TI WooCommerce Wishlist plugin on your WordPress site, it is strongly recommended to deactivate and delete the plugin immediately. Without a patched version, continuing to use the plugin exposes your site to significant risk, potentially allowing attackers to compromise the database and access sensitive information.

For further details and technical insights, visit Patchstack’s advisory on CVE-2024-43917.

Related Posts: