CVE-2024-43145 – This SQL injection vulnerability in the GeoDire... (How to Fix)

Q: What is the severity of CVE-2024-43145?

CVE-2024-43145 has a CVSS score of 8.5 (HIGH). This SQL injection vulnerability in the GeoDirectory WordPress plugin allows attackers to execute arbitrary SQL commands on affected databases. All WordPress sites running GeoDirectory versions up to 2.3.61 are potentially affected, potentially exposing sensitive data.

📋 TL;DR

This SQL injection vulnerability in the GeoDirectory WordPress plugin allows attackers to execute arbitrary SQL commands on affected databases. All WordPress sites running GeoDirectory versions up to 2.3.61 are potentially affected, potentially exposing sensitive data.

💻 Affected Systems

Products:

GeoDirectory WordPress Plugin

Versions: All versions up to and including 2.3.61

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with GeoDirectory plugin enabled. No special configuration needed for exploitation.

📦 What is this software?

Geodirectory by Ayecode

View all CVEs affecting Geodirectory →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive plugin data, user information exposure, and potential WordPress admin access through credential extraction.

🟢

If Mitigated

Limited data exposure if proper input validation and database permissions are enforced, with minimal operational impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit once details are known. No public exploit code identified yet.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.62 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/geodirectory/wordpress-geodirectory-plugin-2-3-61-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GeoDirectory and click 'Update Now'. 4. Verify update to version 2.3.62 or higher.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable GeoDirectory plugin until patched

wp plugin deactivate geodirectory

Web Application Firewall Rules

all

Block SQL injection patterns targeting GeoDirectory endpoints

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in custom code
Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → GeoDirectory version number

Check Version:

wp plugin get geodirectory --field=version

Verify Fix Applied:

Confirm GeoDirectory version is 2.3.62 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP
Unexpected plugin file modifications

Network Indicators:

HTTP requests with SQL syntax in parameters to GeoDirectory endpoints
Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="*geodirectory*" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2024-43145

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

Published: August 18, 2024

Last Updated: March 13, 2025

🔗 References

https://patchstack.com/database/vulnerability/geodirectory/wordpress-geodirectory-plugin-2-3-61-sql-injection-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43145, you might also want to check these: