CVE-2024-8624 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection in **MDTF** plugin (v1.3.3.3 & prior). <br>💥 **Consequences**: Full database compromise. Attackers can steal, modify, or delete data. Critical integrity loss.

🛡️ **CWE-89**: SQL Injection. <br>🔍 **Flaw**: The `mdf_select_title` function fails to sanitize the `meta_key` attribute. Malicious input executes directly in SQL queries.

🏢 **Vendor**: realmag777. <br>📦 **Product**: MDTF – Meta Data and Taxonomies Filter. <br>📉 **Affected**: Version **1.3.3.3** and all earlier versions.

🕵️ **Hackers Can**: <br>• Extract sensitive user data & passwords. <br>• Modify site content/taxonomies. <br>• Potentially achieve Remote Code Execution (RCE) via SQL. <br>• Full Admin control over the database.

⚠️ **Threshold**: **Low**. <br>🔑 **Auth**: Requires **Low Privilege** (PR:L). <br>🌐 **Access**: Network accessible (AV:N). <br>👤 **UI**: No user interaction needed (UI:N). Easy to exploit.

📜 **Public Exp?**: No specific PoC provided in data. <br>🌍 **Wild Exp**: Likely exists given CVSS 8.0+ score and known CWE-89 patterns. Assume **High Risk** of active exploitation.

🔍 **Self-Check**: <br>1. Scan for **MDTF plugin** version ≤ 1.3.3.3. <br>2. Check for `meta_key` parameter in SQL logs. <br>3. Use SQLi scanners on taxonomy filter endpoints.

🛠️ **Fixed?**: Yes. <br>📥 **Patch**: Update to latest version. <br>🔗 **Ref**: WordPress Trac changeset indicates fix in newer revisions. Check official plugin page.

🚧 **No Patch?**: <br>1. **Disable** the MDTF plugin immediately. <br>2. Implement WAF rules to block SQLi payloads in `meta_key`. <br>3. Restrict database user permissions (Least Privilege).

🔥 **Urgency**: **CRITICAL**. <br>📅 **Priority**: Patch **IMMEDIATELY**. <br>📈 **CVSS**: 8.0 (High). <br>⏳ **Time**: Published Sept 2024. Act now before widespread exploitation.