Login Sign Up

CVE-2024-53807

8.5 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the WP Mailster WordPress plugin allows attackers to execute arbitrary SQL commands through specially crafted inputs. It affects all WP Mailster installations from unknown versions through 1.8.16.0, potentially compromising WordPress sites using this plugin.

💻 Affected Systems

Products:
  • WP Mailster WordPress Plugin
Versions: n/a through 1.8.16.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with WP Mailster plugin enabled within the vulnerable version range.

📦 What is this software?

Wp Mailster by Wpmailster

View all CVEs affecting Wp Mailster →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, site takeover, or data destruction.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information like user credentials, and potential site defacement.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, though risk remains if vulnerable code paths are accessible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Blind SQL injection suggests exploitation requires inference techniques but is still accessible to attackers with basic SQLi knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.8.16.0

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wp-mailster/vulnerability/wordpress-wp-mailster-plugin-1-8-16-0-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Mailster and click 'Update Now' if available. 4. If no update appears, manually download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable WP Mailster Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate wp-mailster

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting WP Mailster endpoints.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs in custom code.
  • Use parameterized queries or prepared statements for all database interactions.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Mailster version. If version is 1.8.16.0 or earlier, you are vulnerable.

Check Version:

wp plugin get wp-mailster --field=version

Verify Fix Applied:

After updating, verify WP Mailster version is higher than 1.8.16.0 in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in WordPress debug logs
  • Multiple failed login attempts or unusual database queries from single IPs

Network Indicators:

  • HTTP requests with SQL injection patterns (UNION, SELECT, etc.) to WP Mailster endpoints

SIEM Query:

source="wordpress.log" AND "wp-mailster" AND ("sql" OR "database error" OR "union select")

📊 Metadata

CVE ID: CVE-2024-53807
CVSS v3 Score: 8.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
CWE: CWE-89
Published: December 6, 2024
Last Updated: February 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53807, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)