cleantalk
Vulnerabilities and Security Researches

FULL – Cliente, CVE-2024-12023

CVE, Research URL

CVE-2024-12023

Home page URL

Security reports for FULL – Cliente

Application

FULL – Cliente

Published on
May 02, 2025
Research Description
The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the 'formId' parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the PRO version of the plugin is activated, along with Elementor Pro and Elementor CRM.
Affected versions
Min 3.1.5, max 3.1.25.
Status
vulnerable
Previous vulnerability researches
Able Player, accessible HTML5 media player (CVE-2025-46475) , Apr 26, 2025
Able Player, accessible HTML5 media player (CVE-2025-3752) , May 02, 2025
New vulnerability
VerticalResponse Newsletter Widget (CVE-2025-4172) , May 04, 2025
Subpage List (CVE-2025-4168) , May 04, 2025
OTP-less one tap Sign in (CVE-2025-3746) , May 04, 2025
Advanced Reorder Image Text Slider (CVE-2025-4188) , May 04, 2025
MStore API (CVE-2025-3438) , May 04, 2025