CVE-2024-0594 in Awesome Support Plugin
Summary
by MITRE • 02/10/2024
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the wpas_get_users action in all versions up to, and including, 6.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/12/2026
The CVE-2024-0594 vulnerability affects the Awesome Support WordPress plugin, specifically targeting versions up to and including 6.1.7. This represents a critical security flaw that exploits a union-based SQL injection vulnerability within the plugin's wpas_get_users action functionality. The vulnerability stems from inadequate input sanitization and insufficient parameter preparation within the SQL query execution process, creating an exploitable condition that can be leveraged by authenticated attackers. The flaw exists in the handling of the 'q' parameter, which is processed without proper escaping mechanisms, allowing malicious input to be interpreted as part of the SQL command rather than as literal data.
The technical implementation of this vulnerability follows a classic union-based SQL injection pattern where an attacker can manipulate the 'q' parameter to inject additional SQL commands into the existing query structure. This occurs because the plugin fails to properly escape user-supplied input before incorporating it into database queries, violating fundamental security principles for input validation and query construction. The vulnerability is particularly concerning because it requires only subscriber-level access or higher to exploit, making it accessible to users who already have some level of authorization within the WordPress environment. This authentication requirement does not mitigate the severity of the flaw, as it provides attackers with a pathway to escalate their access and extract sensitive database information.
The operational impact of this vulnerability extends beyond simple data extraction, as it enables attackers to potentially access confidential user information, including personal details, login credentials, and other sensitive data stored within the WordPress database. The union-based approach allows for complex data retrieval operations that can expose multiple database tables and columns, potentially compromising the entire user base managed by the support plugin. This vulnerability creates a significant risk for organizations relying on WordPress for customer support operations, as it could lead to data breaches, privacy violations, and potential regulatory compliance issues. The impact is amplified by the fact that the vulnerability affects a widely used plugin, increasing the potential attack surface and the number of vulnerable systems.
Organizations should implement immediate mitigations including updating to the latest plugin version where the vulnerability has been patched, applying proper input validation measures, and implementing additional security controls such as web application firewalls. The vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and follows patterns commonly referenced in ATT&CK framework under T1566 for credential access and T1071 for application layer protocol usage. Security teams should also consider implementing database query monitoring and access controls to detect and prevent unauthorized SQL command execution attempts. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other plugins and themes within the WordPress ecosystem. The patching process should be prioritized immediately, as this vulnerability represents a significant risk to organizational security posture and could be exploited by threat actors to gain unauthorized access to sensitive information.