CVE-2024-37090
📋 TL;DR
This SQL injection vulnerability in StylemixThemes WordPress plugins allows attackers to execute arbitrary SQL commands through unsanitized user input. It affects websites using Masterstudy Elementor Widgets up to version 1.2.2 or Consulting Elementor Widgets up to version 1.3.0, potentially compromising database integrity and confidentiality.
💻 Affected Systems
- Masterstudy Elementor Widgets
- Consulting Elementor Widgets
📦 What is this software?
Consulting Elementor Widgets by Stylemixthemes
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, or deletion; potential privilege escalation to administrative access; possible remote code execution via database functions.
Likely Case
Unauthorized data access and extraction of sensitive information stored in WordPress databases, including user credentials, personal data, and site content.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification privileges.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited with automated tools; CVSS 8.5 indicates high exploitability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Masterstudy Elementor Widgets: >1.2.2; Consulting Elementor Widgets: >1.3.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Update Masterstudy Elementor Widgets to version >1.2.2 and/or Consulting Elementor Widgets to version >1.3.0. 4. Verify updates completed successfully.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable vulnerable plugins until patches can be applied
wp plugin deactivate masterstudy-elementor-widgets
wp plugin deactivate consulting-elementor-widgets
Web Application Firewall Rules
allImplement WAF rules to block SQL injection patterns targeting these plugins
🧯 If You Can't Patch
- Immediately disable both vulnerable plugins via WordPress admin or command line
- Implement network-level restrictions to limit access to affected WordPress instances
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Masterstudy Elementor Widgets version ≤1.2.2 or Consulting Elementor Widgets version ≤1.3.0Check Version:
wp plugin list --fields=name,version --format=csvVerify Fix Applied:
Confirm plugin versions show >1.2.2 for Masterstudy Elementor Widgets and >1.3.0 for Consulting Elementor Widgets📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns in WordPress logs
- Multiple failed login attempts followed by SQL error messages
- Unexpected database schema changes
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, etc.) targeting plugin endpoints
- Abnormal database connection patterns from web servers
SIEM Query:
source="wordpress.log" AND ("masterstudy-elementor-widgets" OR "consulting-elementor-widgets") AND ("SQL" OR "database error" OR "mysql")🔗 References
- https://patchstack.com/database/vulnerability/consulting-elementor-widgets/wordpress-consulting-elementor-widgets-plugin-1-3-0-sql-injection-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/masterstudy-elementor-widgets/wordpress-masterstudy-elementor-widgets-plugin-1-2-2-sql-injection-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/consulting-elementor-widgets/wordpress-consulting-elementor-widgets-plugin-1-3-0-sql-injection-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/masterstudy-elementor-widgets/wordpress-masterstudy-elementor-widgets-plugin-1-2-2-sql-injection-vulnerability?_s_id=cve
