TARIFFUXX WordPress Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the TARIFFUXX WordPress plugin, affecting versions through 1.4. The issue arises from inadequate sanitization of user input in SQL queries, allowing authenticated attackers with Contributor-level access or higher to inject malicious SQL. This exploitation can lead to unauthorized data extraction from the database by manipulating the 'id' attribute in the 'tariffuxx_configurator' shortcode.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the database queries of the application. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the 'tariffuxx_configurator' shortcode. By crafting a specific 'id' attribute, it's possible to inject SQL commands that exploit the vulnerability. The injected SQL can be used to extract sensitive information from the database.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.