Navayan CSV Export CVE-2024-55988
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Amol Nirmala Waman Navayan CSV Export navayan-csv-export allows Blind SQL Injection.This issue affects Navayan CSV Export: from n/a through <= 1.0.9.
AnalysisAI
Unauthenticated blind SQL injection in the Navayan CSV Export WordPress plugin (versions through 1.0.9) allows remote attackers to inject arbitrary SQL into backend queries without any user interaction. With a CVSS of 9.3 and EPSS of 26.63% (96th percentile), the issue carries elevated exploitation probability, though no public exploit identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
The flaw is a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) defect in the Navayan CSV Export plugin authored by Amol Nirmala Waman, which adds CSV export functionality for WordPress data. User-controllable input is concatenated into SQL queries against the WordPress MySQL/MariaDB backend without proper parameterization or escaping via $wpdb->prepare(). Because the injection is blind, exploitation relies on boolean-based or time-based inference techniques rather than direct error or UNION output, but still permits arbitrary read access to the underlying database. The scope-changed CVSS vector (S:C) indicates the impact crosses a security boundary, consistent with reading data outside the plugin's intended dataset such as wp_users credentials and secrets.
Affected ProductsAI
The vulnerability affects the Navayan CSV Export WordPress plugin (slug navayan-csv-export) authored by Amol Nirmala Waman, in all versions from initial release through and including 1.0.9. No CPE string was provided in the input data, and no vendor advisory URL was included beyond the Patchstack reporter attribution; defenders should consult the Patchstack vulnerability database entry for CVE-2024-55988 for the authoritative affected-version range.
RemediationAI
No vendor-released patch identified at time of analysis based on the provided data - version 1.0.9 is the last known affected release and no fixed version was supplied. Until a patched release is confirmed via the Patchstack advisory, the most reliable mitigation is to deactivate and remove the Navayan CSV Export plugin entirely, which eliminates the vulnerable code path at the cost of losing CSV export functionality on the site. As an interim compensating control, administrators can restrict access to the plugin's export endpoints via web server rules or a WAF with WordPress SQLi rulesets (Patchstack, Wordfence) - noting that blind SQLi payloads using time-based inference can sometimes evade signature-based WAFs, so this should be treated as defense-in-depth rather than a complete fix. Database-layer hardening such as ensuring the WordPress DB user lacks FILE privileges will limit secondary impact if exploitation occurs.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today