Critical Site Intel CVE-2024-55976
CRITICALCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mikeleembruggen Critical Site Intel critical-site-intel-stats allows SQL Injection.This issue affects Critical Site Intel: from n/a through <= 1.0.
AnalysisAI
SQL injection in the Critical Site Intel WordPress plugin (mikeleembruggen, versions through 1.0) allows remote unauthenticated attackers to manipulate backend database queries via the critical-site-intel-stats functionality, leading to data disclosure and limited availability impact with scope change to the underlying WordPress database. The vulnerability carries a CVSS 9.3 (Critical) rating and an EPSS score of 29.74% (97th percentile), placing it well above typical baseline exploitation likelihood, though no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability is rooted in CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL queries without proper sanitization, escaping, or use of prepared statements. The affected component is the Critical Site Intel WordPress plugin (slug: critical-site-intel-stats) developed by mikeleembruggen, which provides website statistics/intelligence functionality. WordPress plugins commonly invoke the global $wpdb object; failure to use $wpdb->prepare() with parameterized placeholders, or relying on insufficient escaping, allows attackers to break out of the query context. The CVSS scope change (S:C) indicates that the impact extends beyond the plugin's authorization boundary into the shared WordPress database, affecting other plugin/site data.
Affected ProductsAI
The Critical Site Intel WordPress plugin (slug critical-site-intel-stats) by author mikeleembruggen is affected in all versions from initial release through and including 1.0; no lower bound is specified in the advisory ('n/a through <= 1.0'). No CPE string was provided in the input data. The advisory was reported by Patchstack (audit@patchstack.com), which typically publishes details at patchstack.com/database/vulnerability - defenders should cross-reference that source for the specific Patchstack advisory ID associated with CVE-2024-55976.
RemediationAI
No vendor-released patch identified at time of analysis from the provided input - the affected version range ('<= 1.0') does not include a confirmed fixed release. Site operators should immediately deactivate and remove the Critical Site Intel plugin from any WordPress installation until the maintainer publishes a fixed version, since it appears to be a low-distribution plugin with limited active maintenance. As compensating controls until removal is possible, deploy a Web Application Firewall (such as Patchstack, Wordfence, or ModSecurity with OWASP CRS) with SQL injection signatures targeting the plugin's stats endpoints; restrict access to the plugin's request handlers at the web server or reverse-proxy layer (with the trade-off of breaking legitimate stats collection); and audit the WordPress database for unauthorized SELECT patterns or unexpected wp_users / wp_options reads in access logs. Consult the Patchstack advisory database for the authoritative remediation guidance and any later-released patched version.
More from same product – last 7 days
In the Linux kernel, the following vulnerability has been resolved: efi: Fix reservation of unaccepted memory table Th
In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down P
In the Linux kernel, the following vulnerability has been resolved: mtd: intel-dg: Fix accessing regions before setting
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removin
Share
External POC / Exploit Code
Leaving vuln.today