Critical Site Intel CVE-2024-55976
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mikeleembruggen Critical Site Intel critical-site-intel-stats allows SQL Injection.This issue affects Critical Site Intel: from n/a through <= 1.0.
AnalysisAI
SQL injection in the Critical Site Intel WordPress plugin (mikeleembruggen, versions through 1.0) allows remote unauthenticated attackers to manipulate backend database queries via the critical-site-intel-stats functionality, leading to data disclosure and limited availability impact with scope change to the underlying WordPress database. The vulnerability carries a CVSS 9.3 (Critical) rating and an EPSS score of 29.74% (97th percentile), placing it well above typical baseline exploitation likelihood, though no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability is rooted in CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL queries without proper sanitization, escaping, or use of prepared statements. The affected component is the Critical Site Intel WordPress plugin (slug: critical-site-intel-stats) developed by mikeleembruggen, which provides website statistics/intelligence functionality. WordPress plugins commonly invoke the global $wpdb object; failure to use $wpdb->prepare() with parameterized placeholders, or relying on insufficient escaping, allows attackers to break out of the query context. The CVSS scope change (S:C) indicates that the impact extends beyond the plugin's authorization boundary into the shared WordPress database, affecting other plugin/site data.
Affected ProductsAI
The Critical Site Intel WordPress plugin (slug critical-site-intel-stats) by author mikeleembruggen is affected in all versions from initial release through and including 1.0; no lower bound is specified in the advisory ('n/a through <= 1.0'). No CPE string was provided in the input data. The advisory was reported by Patchstack (audit@patchstack.com), which typically publishes details at patchstack.com/database/vulnerability - defenders should cross-reference that source for the specific Patchstack advisory ID associated with CVE-2024-55976.
RemediationAI
No vendor-released patch identified at time of analysis from the provided input - the affected version range ('<= 1.0') does not include a confirmed fixed release. Site operators should immediately deactivate and remove the Critical Site Intel plugin from any WordPress installation until the maintainer publishes a fixed version, since it appears to be a low-distribution plugin with limited active maintenance. As compensating controls until removal is possible, deploy a Web Application Firewall (such as Patchstack, Wordfence, or ModSecurity with OWASP CRS) with SQL injection signatures targeting the plugin's stats endpoints; restrict access to the plugin's request handlers at the web server or reverse-proxy layer (with the trade-off of breaking legitimate stats collection); and audit the WordPress database for unauthorized SELECT patterns or unexpected wp_users / wp_options reads in access logs. Consult the Patchstack advisory database for the authoritative remediation guidance and any later-released patched version.
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0
Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today