Skip to main content

Navayan CSV Export CVE-2024-55988

CRITICAL
SQL Injection (CWE-89)
2024-12-16 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.3 (CRITICAL)
CVE Published
Dec 16, 2024 - 15:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Amol Nirmala Waman Navayan CSV Export navayan-csv-export allows Blind SQL Injection.This issue affects Navayan CSV Export: from n/a through <= 1.0.9.

AnalysisAI

Unauthenticated blind SQL injection in the Navayan CSV Export WordPress plugin (versions through 1.0.9) allows remote attackers to inject arbitrary SQL into backend queries without any user interaction. With a CVSS of 9.3 and EPSS of 26.63% (96th percentile), the issue carries elevated exploitation probability, though no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

The flaw is a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) defect in the Navayan CSV Export plugin authored by Amol Nirmala Waman, which adds CSV export functionality for WordPress data. User-controllable input is concatenated into SQL queries against the WordPress MySQL/MariaDB backend without proper parameterization or escaping via $wpdb->prepare(). Because the injection is blind, exploitation relies on boolean-based or time-based inference techniques rather than direct error or UNION output, but still permits arbitrary read access to the underlying database. The scope-changed CVSS vector (S:C) indicates the impact crosses a security boundary, consistent with reading data outside the plugin's intended dataset such as wp_users credentials and secrets.

Affected ProductsAI

The vulnerability affects the Navayan CSV Export WordPress plugin (slug navayan-csv-export) authored by Amol Nirmala Waman, in all versions from initial release through and including 1.0.9. No CPE string was provided in the input data, and no vendor advisory URL was included beyond the Patchstack reporter attribution; defenders should consult the Patchstack vulnerability database entry for CVE-2024-55988 for the authoritative affected-version range.

RemediationAI

No vendor-released patch identified at time of analysis based on the provided data - version 1.0.9 is the last known affected release and no fixed version was supplied. Until a patched release is confirmed via the Patchstack advisory, the most reliable mitigation is to deactivate and remove the Navayan CSV Export plugin entirely, which eliminates the vulnerable code path at the cost of losing CSV export functionality on the site. As an interim compensating control, administrators can restrict access to the plugin's export endpoints via web server rules or a WAF with WordPress SQLi rulesets (Patchstack, Wordfence) - noting that blind SQLi payloads using time-based inference can sometimes evade signature-based WAFs, so this should be treated as defense-in-depth rather than a complete fix. Database-layer hardening such as ensuring the WordPress DB user lacks FILE privileges will limit secondary impact if exploitation occurs.

Share

CVE-2024-55988 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy