A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / AIKit 4.14.1 Authenticated SQL Injection (CVE-2024-31370)

AIKit 4.14.1 Authenticated SQL Injection (CVE-2024-31370)

Advisory No: TZCERT/SA/2024/04/12-1

Date of First Release: 12th April 2024

Source: Wordfence, patchstack

Software Affected: AIKit <= 4.14.1

Overview:

CodeIsAwesome’s AIKit plugin is vulnerable to SQL Injection. The plugin’s vulnerability may allow an attacker to interact with the database and steal information.

Description:

AIKit is a WordPress AI Assistant that utilizes the GPT-3 model to assist writers in creating content up to 10 times faster. The plugin does not neutralize or incorrectly neutralize special elements that could modify the intended SQL command when it is sent to a downstream component. the improper neutralization of Special Elements used in an SQL Command in the plugin makes no real distinction between the control and data planes, thus, resulting in sensitive information disclosure as the impact SQL injection vulnerability.

Impact:

Successful exploitation of this vulnerability may allow the attacker to gain access to sensitive information.

Solution:

No patch has been released for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/aikit-wordpress-ai-writing-assistant-using-gpt3/aikit-4141-authenticated-contributor-sql-injection
  2. https://patchstack.com/database/vulnerability/aikit-wordpress-ai-writing-assistant-using-gpt3/wordpress-codeisawesome-aikit-plugin-4-14-1-sql-injection-vulnerability?_s_id=cve
  3. https://avd.aquasec.com/nvd/2024/cve-2024-31370/

Check Also

Remote Code Execution Vulnerabilities in IBM Operational Decision Manager, and IBM i Modernization Engine for Lifecycle Integration (CVE-2019-19919, CVE-2019-12384)

Advisory No: TZCERT/SA/2024/05/17-6 Date of First Release: 17th May 2024 Source: IBM Software Affected: IBM …