cleantalk
Vulnerabilities and Security Researches

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting, CVE-2024-6666

CVE, Research URL

CVE-2024-6666

Home page URL

Security reports for WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Application

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Published on
Jul 11, 2024
Research Description
The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Accounting Manager access (erp_ac_view_sales_summary capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
Min -, max 1.13.1.
Status
vulnerable
Previous vulnerability researches
LetterPress – Elevate Your WordPress Site's E-Mail Campaigns and Marketing (CVE-2024-3590) , Jun 07, 2024
LetterPress – Elevate Your WordPress Site's E-Mail Campaigns and Marketing (CVE-2023-27415) , Jun 07, 2024
LetterPress – Elevate Your WordPress Site's E-Mail Campaigns and Marketing (CVE-2024-34568) , Jun 07, 2024
Ni Purchase Order(PO) For WooCommerce (CVE-2023-5957) , Jun 06, 2024
User registration & user profile – UserPlus (CVE-2023-0824) , Jun 07, 2024
New vulnerability
Uncanny Automator – Automate everything with the #1 automation, integration & webhooks plugin (CVE-2025-2075) , Apr 05, 2025
Blubrry PowerPress Podcasting plugin MultiSite add-on (CVE-2025-31436) , Apr 05, 2025
Wptobe-signinup (CVE-2025-30611) , Apr 05, 2025
Lexicata (CVE-2025-31900) , Apr 05, 2025
WooTumblog (CVE-2025-31729) , Apr 05, 2025