Skip to main content

Wr Age Verification CVE-2024-55980

CRITICAL
SQL Injection (CWE-89)
2024-12-16 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.3 (CRITICAL)
CVE Published
Dec 16, 2024 - 15:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robindkumar Wr Age Verification wr-age-verification allows SQL Injection.This issue affects Wr Age Verification: from n/a through <= 2.0.0.

AnalysisAI

SQL injection in the robindkumar Wr Age Verification WordPress plugin (versions up to and including 2.0.0) allows remote unauthenticated attackers to inject crafted SQL into backend queries, exposing database contents with a scope change that extends impact beyond the plugin itself. The flaw carries a CVSS 9.3 (Critical) and an EPSS of 4.91% (90th percentile), indicating meaningfully elevated exploitation likelihood relative to the broader CVE population, though no public exploit identified at time of analysis.

Technical ContextAI

Wr Age Verification is a WordPress plugin (developer handle: robindkumar) that gates site content behind an age-confirmation prompt. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated into SQL statements without parameterization or proper escaping via WordPress's $wpdb->prepare(). Because WordPress plugins execute within the shared site database context, any injectable query can reach the entire wp_* schema - including wp_users (password hashes, emails) and wp_options (site secrets, API keys). The CVSS Scope:Changed (S:C) flag reflects that exploitation of the plugin's vulnerable component can affect the broader WordPress instance beyond the plugin's own boundary.

Affected ProductsAI

The vulnerability affects the robindkumar Wr Age Verification WordPress plugin in all versions from initial release through and including 2.0.0 (vendor-stated range: 'n/a through <= 2.0.0'). No CPE strings were provided in the input data, and no vendor advisory URL was supplied beyond the Patchstack reporter attribution; consult the Patchstack vulnerability database for the canonical advisory record.

RemediationAI

No vendor-released patch identified at time of analysis - the disclosed range covers all versions up to and including 2.0.0 with no fixed version cited. Site operators should immediately deactivate and uninstall the Wr Age Verification plugin from the WordPress admin Plugins page and replace it with an actively maintained age-gate plugin if the functionality is business-required; deactivation alone leaves plugin files on disk but removes the vulnerable code paths from execution. As a compensating control until removal, restrict access to the plugin's request endpoints via a WAF rule or .htaccess deny (this will break the age-verification feature for legitimate visitors), and monitor wp_users and wp_options tables for unexpected reads or modifications. Rotate WordPress secret keys (wp-config.php AUTH_KEY et al.), database credentials, and any API keys stored in wp_options on the assumption of prior compromise if exposure is suspected. Subscribe to the Patchstack advisory feed (audit@patchstack.com) for fix release notification.

Share

CVE-2024-55980 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy