CVE-2024-1711 in Create Plugin
Summary
by MITRE • 03/20/2024
The Create by Mediavine plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.9.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/13/2026
The CVE-2024-1711 vulnerability affects the Create by Mediavine plugin for WordPress, representing a critical security flaw that has been identified in versions up to and including 1.9.4. This vulnerability stems from inadequate input validation and sanitization within the plugin's codebase, specifically concerning the 'id' parameter handling. The flaw exists in the plugin's database interaction logic where user-supplied input is not properly escaped before being incorporated into SQL queries, creating an avenue for malicious exploitation.
The technical implementation of this vulnerability involves the plugin's failure to employ proper parameterized queries or adequate input sanitization mechanisms when processing the 'id' parameter. This allows attackers to inject malicious SQL code directly into the existing database queries through the vulnerable parameter. The vulnerability is classified as a classic SQL injection flaw, which according to CWE-89, represents an injection vulnerability where untrusted data is directly incorporated into SQL commands without proper escaping or parameterization. The lack of sufficient preparation of the SQL query structure means that attacker-controlled input can manipulate the intended query execution flow.
The operational impact of this vulnerability is severe as it enables unauthenticated attackers to exploit the weakness without requiring any valid credentials or privileged access to the WordPress installation. Attackers can leverage this vulnerability to extract sensitive information from the underlying database, potentially gaining access to user credentials, personal data, configuration settings, and other confidential information stored within the WordPress environment. The vulnerability affects the integrity and confidentiality of the entire WordPress installation, as the SQL injection can be used to perform unauthorized read operations on database tables, potentially leading to data breaches and further compromise of the affected system.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1213.002 which covers data from information repositories, and represents a significant risk to organizations relying on WordPress platforms with vulnerable Mediavine plugin installations. The attack vector is particularly concerning as it requires no authentication, making it accessible to anyone who can interact with the vulnerable WordPress site. Organizations should immediately implement mitigation strategies including plugin updates, input validation improvements, and database access controls to prevent exploitation. The vulnerability demonstrates the critical importance of proper input sanitization and parameterized queries in preventing injection attacks, which should be considered fundamental security practices in all web application development and maintenance activities.
The remediation approach for this vulnerability requires immediate plugin version updates to address the SQL injection flaw, along with implementing proper input validation and parameterized query execution throughout the plugin codebase. System administrators should also consider implementing web application firewalls, database activity monitoring, and regular security assessments to detect and prevent similar vulnerabilities in other components of the WordPress ecosystem.