Skip to main content

Wp Erp CVE-2024-6666

HIGH
SQL Injection (CWE-89)
2024-07-11 security@wordfence.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch released
Apr 08, 2026 - 19:39 nvd
Patch available
CVE Published
Jul 11, 2024 - 07:15 nvd
HIGH 8.8

DescriptionCVE.org

The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ and 'status' parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Accounting Manager access (erp_ac_view_sales_summary capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ and 'status' parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ and 'status' parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Accounting Manager access (erp_ac_view_sales_summary capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Affected products include: Wedevs Wp Erp.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

More in Wp Erp

View all
CVE-2023-2744 HIGH POC
7.2 Jun 27

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/account

CVE-2023-34008 MEDIUM POC
6.1 Aug 30

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at

CVE-2023-2743 MEDIUM POC
6.1 Jun 27

The ERP WordPress plugin before 1.12.4 does not sanitise and escape the employee_name parameter before outputting it bac

CVE-2026-31917 HIGH
8.5 Mar 13

SQL injection vulnerability in the weDevs WP ERP WordPress plugin affecting all versions up to and including 1.16.10, al

CVE-2020-36735 MEDIUM POC
4.3 Jul 01

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is

CVE-2024-0609 HIGH
7.2 Mar 29

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is

CVE-2024-0952 HIGH
7.2 Apr 09

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is

CVE-2024-1173 HIGH
7.2 May 02

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is

CVE-2024-0913 HIGH
7.2 Mar 29

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is

CVE-2024-0608 MEDIUM
6.5 Mar 29

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is

CVE-2024-0956 MEDIUM
4.9 Mar 29

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is

CVE-2024-12812 HIGH POC
7.5 May 15

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before

Share

CVE-2024-6666 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy