CVE-2024-4443
Business Directory Plugin – Easy Listing Directories for WordPress <= 6.4.2 - Unauthenticated SQL Injection via listingfields Parameter
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- May 02, 2024
- Published Date
- May 22, 2024
- Last Updated
- August 01, 2024
- Vendor
- strategy11team
- Product
- Business Directory Plugin – Easy Listing Directories for WordPress
- Description
- The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Tags
- Exploitation
- none
- Technical Impact
- partial
- Proof of Concept Available
- Yes (added 2024-05-26 16:34:58 UTC) Source
nuclei_scanner
CVSS Scores
CVSS v3.1
9.8 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2026-02-14 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4443.yaml | 2025-04-25 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
truonghuuphuc/CVE-2024-4443-Poc
Type: github • Created: 2024-05-26 16:34:58 UTC • Stars: 2
CVE-2024-4443 Business Directory Plugin – Easy Listing Directories for WordPress <= 6.4.2 - Unauthenticated SQL Injection via listingfields Parameter
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Proof of Concept Exploit Available
-
Detected by Nuclei
-
Added to KEVIntel