Overview
This report details the CVE-2024-12612 vulnerability, a significant risk to users of the School Management System for WordPress plugin. This vulnerability opens the door to unauthorized SQL injection attacks, potentially compromising data integrity and security. As such, it is crucial for affected parties to understand the threat and implement the necessary countermeasures.
Vulnerability Summary
CVE ID: CVE-2024-12612
Severity: High (CVSS score 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise, potential data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
School Management System for WordPress Plugin | Up to and including 93.2.0
How the Exploit Works
The vulnerability arises due to the plugin’s insufficient escaping on user-supplied parameters and lack of adequate preparation on existing SQL queries. This allows unauthenticated attackers to append additional SQL queries into pre-existing ones, exploiting the weakness to extract sensitive information from the database.
Conceptual Example Code
Below is a conceptual example of how the vulnerability could be exploited:
POST /wp-admin/admin-ajax.php?action=smgt_add_subject HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
subject_name="test"; subject_code="test123" UNION ALL SELECT CONCAT(user_login,':',user_pass) FROM wp_users--In this example, a malicious SQL command is injected into the ‘subject_name’ parameter, which gets executed as part of the original SQL query. The ‘UNION ALL SELECT’ statement allows the attacker to combine the results of the original query with details from the WordPress users’ table, potentially exposing sensitive user credentials.
