Skip to main content

Code Generator Pro CVE-2024-55978

CRITICAL
SQL Injection (CWE-89)
2024-12-16 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.3 (CRITICAL)
CVE Published
Dec 16, 2024 - 15:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WalletStation Code Generator Pro code-generator-pro allows SQL Injection.This issue affects Code Generator Pro: from n/a through <= 1.2.

AnalysisAI

Unauthenticated SQL injection in WalletStation Code Generator Pro (versions up to and including 1.2) allows remote attackers to inject arbitrary SQL into backend queries over the network without user interaction. The flaw carries a CVSS 9.3 with scope change and high confidentiality impact, and EPSS places it in the 90th percentile (4.91%) for exploitation likelihood, though no public exploit identified at time of analysis. Reported by Patchstack, the issue is tagged as SQLi and corresponds to CWE-89.

Technical ContextAI

Code Generator Pro is a WordPress plugin by WalletStation used for generating codes within WordPress sites. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated or interpolated into SQL statements without proper parameterization or sanitization. Because the plugin runs inside the WordPress request pipeline, vulnerable handlers are reachable via standard HTTP(S) requests to wp-admin or wp-ajax endpoints, and the scope-changed CVSS vector (S:C) suggests the injection can affect data outside the plugin's own security boundary, such as the broader WordPress database including users and options tables.

Affected ProductsAI

WalletStation Code Generator Pro WordPress plugin, all versions from initial release through and including version 1.2, is affected. No CPE strings were provided in the source intelligence to further constrain the affected build set, and no vendor advisory URL was included beyond the Patchstack reporter attribution; consult the Patchstack database (patchstack.com) for the corresponding advisory and any updated fix metadata.

RemediationAI

No vendor-released patch identified at time of analysis based on the provided data - the affected range is described as 'n/a through <= 1.2' with no fixed version cited. Site administrators should immediately deactivate and remove the Code Generator Pro plugin from any WordPress installation until WalletStation publishes a patched release confirmed by Patchstack, since deactivation eliminates the vulnerable code path entirely at the cost of losing the plugin's code-generation functionality. As compensating controls while the plugin remains installed, deploy a WAF rule (Patchstack, Wordfence, or Cloudflare managed WordPress rulesets) to block SQL injection patterns targeting the plugin's endpoints, restrict access to the plugin's admin and AJAX URLs by IP allowlist via web server configuration, and enable database query logging to detect anomalous queries - noting that WAF signatures may miss novel payloads and IP restriction breaks legitimate remote administration. Monitor the Patchstack advisory page for the canonical fix version once released.

Share

CVE-2024-55978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy