Code Generator Pro CVE-2024-55978
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WalletStation Code Generator Pro code-generator-pro allows SQL Injection.This issue affects Code Generator Pro: from n/a through <= 1.2.
AnalysisAI
Unauthenticated SQL injection in WalletStation Code Generator Pro (versions up to and including 1.2) allows remote attackers to inject arbitrary SQL into backend queries over the network without user interaction. The flaw carries a CVSS 9.3 with scope change and high confidentiality impact, and EPSS places it in the 90th percentile (4.91%) for exploitation likelihood, though no public exploit identified at time of analysis. Reported by Patchstack, the issue is tagged as SQLi and corresponds to CWE-89.
Technical ContextAI
Code Generator Pro is a WordPress plugin by WalletStation used for generating codes within WordPress sites. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated or interpolated into SQL statements without proper parameterization or sanitization. Because the plugin runs inside the WordPress request pipeline, vulnerable handlers are reachable via standard HTTP(S) requests to wp-admin or wp-ajax endpoints, and the scope-changed CVSS vector (S:C) suggests the injection can affect data outside the plugin's own security boundary, such as the broader WordPress database including users and options tables.
Affected ProductsAI
WalletStation Code Generator Pro WordPress plugin, all versions from initial release through and including version 1.2, is affected. No CPE strings were provided in the source intelligence to further constrain the affected build set, and no vendor advisory URL was included beyond the Patchstack reporter attribution; consult the Patchstack database (patchstack.com) for the corresponding advisory and any updated fix metadata.
RemediationAI
No vendor-released patch identified at time of analysis based on the provided data - the affected range is described as 'n/a through <= 1.2' with no fixed version cited. Site administrators should immediately deactivate and remove the Code Generator Pro plugin from any WordPress installation until WalletStation publishes a patched release confirmed by Patchstack, since deactivation eliminates the vulnerable code path entirely at the cost of losing the plugin's code-generation functionality. As compensating controls while the plugin remains installed, deploy a WAF rule (Patchstack, Wordfence, or Cloudflare managed WordPress rulesets) to block SQL injection patterns targeting the plugin's endpoints, restrict access to the plugin's admin and AJAX URLs by IP allowlist via web server configuration, and enable database query logging to detect anomalous queries - noting that WAF signatures may miss novel payloads and IP restriction breaks legitimate remote administration. Monitor the Patchstack advisory page for the canonical fix version once released.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today