CVE-2024-43976 identifies a critical SQL Injection vulnerability in the highwarden Super Store Finder WordPress plugin, specifically versions up to and including 6.9.7. The vulnerability arises from improper neutralization of special characters in SQL commands, allowing attackers to manipulate backend database queries. This can enable unauthorized retrieval, modification, or deletion of sensitive data stored in the database. The plugin is designed to provide store locator functionality on WordPress sites, which means it is integrated into websites that rely on it for customer-facing location services. The lack of proper input sanitization or parameterized queries in the affected versions leads to this injection flaw. Exploitation does not require authentication or user interaction, making it easier for remote attackers to leverage this vulnerability. Although no public exploits have been reported yet, the potential for automated exploitation exists given the commonality of SQL Injection attacks. No official patches or updates have been linked at the time of publication, so users must monitor vendor advisories closely. The vulnerability was reserved in August 2024 and published in September 2024, indicating recent discovery and disclosure. The absence of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

The impact of CVE-2024-43976 is significant for organizations using the Super Store Finder plugin on WordPress sites. Successful exploitation can lead to unauthorized access to sensitive customer and business data stored in the backend database, including potentially personally identifiable information (PII), business intelligence, or configuration data. Attackers may also alter or delete data, disrupting business operations or damaging data integrity. This can result in reputational damage, regulatory penalties, and financial losses. Since the vulnerability does not require authentication, attackers can remotely exploit it without prior access, increasing the attack surface. E-commerce and retail websites using this plugin are particularly at risk, as attackers could leverage the vulnerability to gain deeper access to the site or pivot to other systems. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as automated scanning tools may soon incorporate detection for this flaw.

Organizations should immediately audit their WordPress installations to identify if the Super Store Finder plugin is in use and determine the version. If affected (version 6.9.7 or earlier), they should consider disabling the plugin until a patch is available. Monitoring the vendor’s official channels and Patchstack advisories for updates or patches is critical. In the interim, applying Web Application Firewall (WAF) rules that detect and block SQL Injection patterns targeting the plugin’s endpoints can reduce risk. Developers or site administrators with custom implementations should review and harden input validation, ensuring all user inputs are sanitized and parameterized queries are used. Regular backups of the website and database should be maintained to enable recovery in case of compromise. Additionally, conducting security scans and penetration tests focused on SQL Injection vulnerabilities can help identify exploitation attempts. Restricting database user permissions to the minimum necessary can limit the damage if exploitation occurs.