CVE-2024-12023 in FULL Plugininfo

Summary

by MITRE • 05/02/2025

The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the 'formId' parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the PRO version of the plugin is activated, along with Elementor Pro and Elementor CRM.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/02/2025

The vulnerability identified as CVE-2024-12023 affects the FULL – Cliente plugin for WordPress, specifically targeting versions 3.1.5 through 3.1.25. This represents a critical security flaw that undermines the integrity of database operations within the WordPress ecosystem. The vulnerability stems from inadequate input sanitization mechanisms that fail to properly escape user-supplied parameters before incorporating them into SQL queries. The flaw manifests through the 'formId' parameter which serves as the primary attack vector for malicious SQL injection attempts.

The technical implementation of this vulnerability aligns with CWE-89, which categorizes SQL injection as a code injection technique that exploits improper input validation in database queries. The plugin's failure to implement proper parameterized queries or adequate escaping mechanisms creates an exploitable condition where authenticated users can manipulate database interactions. The vulnerability requires minimal privileges, specifically Subscriber-level access and above, making it particularly dangerous as it can be leveraged by users who already possess some level of system access. This authentication requirement significantly reduces the barrier to exploitation compared to vulnerabilities requiring administrative privileges.

Operational impact of this vulnerability extends beyond simple data extraction to potentially compromise the entire WordPress installation's database integrity. Authenticated attackers can craft malicious SQL queries that append additional operations to existing database requests, enabling them to retrieve sensitive information including user credentials, personal data, and potentially system configuration details. The exploitation becomes more severe when considering that this vulnerability is only active when the PRO version of the plugin is operational alongside Elementor Pro and Elementor CRM, indicating a complex attack surface that involves multiple interconnected components. This combination of plugins creates a more extensive attack surface where the SQL injection vulnerability can be leveraged to extract comprehensive data from the integrated system.

The attack vector specifically targets the 'formId' parameter within the plugin's processing logic, where user input directly influences database query construction without proper sanitization. This flaw represents a classic case of insufficient input validation and output encoding, creating opportunities for attackers to manipulate database operations through crafted input values. The vulnerability's exploitation requires the PRO version to be active, suggesting that the developers may have implemented different security controls in the free version, but left critical input validation gaps in the premium functionality. Security practitioners should note that this vulnerability demonstrates the importance of comprehensive input validation across all plugin versions, regardless of feature sets or user access levels.

Mitigation strategies should prioritize immediate plugin updates to versions that address the SQL injection vulnerability, while also implementing additional security measures including database query parameterization, input validation, and access control restrictions. Organizations should consider implementing web application firewalls and monitoring for suspicious database query patterns. The vulnerability highlights the necessity of following secure coding practices including the principle of least privilege and proper input sanitization. Security teams must also conduct comprehensive vulnerability assessments of all active plugins to identify similar patterns of inadequate input validation that could lead to similar security compromises. Additionally, implementing database activity monitoring and access logging can help detect unauthorized SQL injection attempts and provide forensic evidence of potential exploitation attempts.

Reservation

12/02/2024

Disclosure

05/02/2025

Moderation

accepted

CPE

ready

EPSS

0.00317

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!