Skip to main content

Critical Site Intel CVE-2024-55976

CRITICAL
SQL Injection (CWE-89)
2024-12-16 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.3 (CRITICAL)
CVE Published
Dec 16, 2024 - 15:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mikeleembruggen Critical Site Intel critical-site-intel-stats allows SQL Injection.This issue affects Critical Site Intel: from n/a through <= 1.0.

AnalysisAI

SQL injection in the Critical Site Intel WordPress plugin (mikeleembruggen, versions through 1.0) allows remote unauthenticated attackers to manipulate backend database queries via the critical-site-intel-stats functionality, leading to data disclosure and limited availability impact with scope change to the underlying WordPress database. The vulnerability carries a CVSS 9.3 (Critical) rating and an EPSS score of 29.74% (97th percentile), placing it well above typical baseline exploitation likelihood, though no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL queries without proper sanitization, escaping, or use of prepared statements. The affected component is the Critical Site Intel WordPress plugin (slug: critical-site-intel-stats) developed by mikeleembruggen, which provides website statistics/intelligence functionality. WordPress plugins commonly invoke the global $wpdb object; failure to use $wpdb->prepare() with parameterized placeholders, or relying on insufficient escaping, allows attackers to break out of the query context. The CVSS scope change (S:C) indicates that the impact extends beyond the plugin's authorization boundary into the shared WordPress database, affecting other plugin/site data.

Affected ProductsAI

The Critical Site Intel WordPress plugin (slug critical-site-intel-stats) by author mikeleembruggen is affected in all versions from initial release through and including 1.0; no lower bound is specified in the advisory ('n/a through <= 1.0'). No CPE string was provided in the input data. The advisory was reported by Patchstack (audit@patchstack.com), which typically publishes details at patchstack.com/database/vulnerability - defenders should cross-reference that source for the specific Patchstack advisory ID associated with CVE-2024-55976.

RemediationAI

No vendor-released patch identified at time of analysis from the provided input - the affected version range ('<= 1.0') does not include a confirmed fixed release. Site operators should immediately deactivate and remove the Critical Site Intel plugin from any WordPress installation until the maintainer publishes a fixed version, since it appears to be a low-distribution plugin with limited active maintenance. As compensating controls until removal is possible, deploy a Web Application Firewall (such as Patchstack, Wordfence, or ModSecurity with OWASP CRS) with SQL injection signatures targeting the plugin's stats endpoints; restrict access to the plugin's request handlers at the web server or reverse-proxy layer (with the trade-off of breaking legitimate stats collection); and audit the WordPress database for unauthorized SELECT patterns or unexpected wp_users / wp_options reads in access logs. Consult the Patchstack advisory database for the authoritative remediation guidance and any later-released patched version.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Share

CVE-2024-55976 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy