CVE-2024-9770 – This vulnerability in the WP-Recall WordPress p... (How to Fix)

Q: What is the severity of CVE-2024-9770?

CVE-2024-9770 has a CVSS score of 4.7 (MEDIUM). This vulnerability in the WP-Recall WordPress plugin allows administrators to perform SQL injection attacks due to unsanitized parameter usage in SQL statements. It affects WordPress sites running WP-Recall versions before 16.26.12. Only authenticated administrators can exploit this vulnerability.

📋 TL;DR

This vulnerability in the WP-Recall WordPress plugin allows administrators to perform SQL injection attacks due to unsanitized parameter usage in SQL statements. It affects WordPress sites running WP-Recall versions before 16.26.12. Only authenticated administrators can exploit this vulnerability.

💻 Affected Systems

Products:

WP-Recall WordPress Plugin

Versions: All versions before 16.26.12

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with WP-Recall plugin installed; requires administrator access to exploit.

📦 What is this software?

Wp Recall by Plechevandrey

View all CVEs affecting Wp Recall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator could execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or site takeover.

🟠

Likely Case

Administrator could extract sensitive data from the database, modify content, or escalate privileges.

🟢

If Mitigated

Limited impact since it requires administrator credentials; proper access controls would prevent exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator-level access to the WordPress site.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.26.12

Vendor Advisory: https://wpscan.com/vulnerability/d31f8713-b807-4ac4-8897-7d62a93bb2db/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP-Recall plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 16.26.12+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the WP-Recall plugin until patched

wp plugin deactivate wp-recall

🧯 If You Can't Patch

Restrict administrator accounts to trusted personnel only
Implement web application firewall (WAF) with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check WP-Recall plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get wp-recall --field=version

Verify Fix Applied:

Verify WP-Recall plugin version is 16.26.12 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in WordPress or database logs
Multiple failed login attempts followed by administrator access

Network Indicators:

Suspicious POST requests to wp-admin containing SQL syntax

SIEM Query:

source="wordpress.log" AND "wp-recall" AND ("SELECT" OR "UNION" OR "INSERT" OR "UPDATE")

📊 Metadata

CVE ID: CVE-2024-9770

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CWE: CWE-89

EPSS Score: 0.08% exploit probability (22.5th percentile)

Published: March 25, 2025

Last Updated: April 29, 2025

🔗 References

https://wpscan.com/vulnerability/d31f8713-b807-4ac4-8897-7d62a93bb2db/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9770, you might also want to check these: