CVE-2024-1317: Critical WordPress Plugin Flaw Leaves Your Data Exposed

From securityonline.info

A serious vulnerability jeopardizes the security of WordPress websites using the popular RSS Aggregator by the Feedzy plugin. With over 50,000 active installations, WordPress users must understand the risks and take immediate action. Versions of the plugin up to 4.4.2 contain a critical SQL injection flaw that puts your sensitive information at the mercy of cybercriminals.

Tracked as CVE-2024-1317 (CVSS 8.8), this flaw was pinpointed within all versions up to and including 4.4.2 of the Feedzy plugin. The ‘search_key‘ parameter, a gateway through which SQL queries whisper secrets to the database, was left inadequately guarded. Insufficient escaping of user-supplied parameters and a lack of preparation in the SQL queries themselves opened the floodgates for authenticated attackers with contributor-level permissions or higher to inject malicious SQL, siphoning off data including password hashes.

Read more…