cleantalk
Vulnerabilities and Security Researches

Front End Users, CVE-2024-7607

CVE, Research URL

CVE-2024-7607

Home page URL

Security reports for Front End Users

Application

Front End Users

Published on
Aug 29, 2024
Research Description
The Front End Users plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.2.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
Min -, max 3.2.29.
Status
vulnerable
Previous vulnerability researches
Front End Users (3d137d82d6524fe37c8dd356efe27e9e4e9af54c) , Jun 07, 2024
Front End Users (CVE-2023-33322) , Jun 07, 2024
Front End Users (CVE-2023-34005) , Jun 07, 2024
Front End Users (CVE-2025-26877) , Feb 26, 2025
Front End Users (CVE-2024-13563) , Feb 18, 2025
New vulnerability
Logo Carousel Slider (CVE-2025-39525) , Apr 17, 2025
Clinked Client Portal (CVE-2025-32615) , Apr 17, 2025
Kadence WooCommerce Email Designer (CVE-2025-39557) , Apr 17, 2025
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder (CVE-2025-3615) , Apr 17, 2025
Doppler Forms (CVE-2025-32620) , Apr 17, 2025