CVE-2024-7607 is a critical SQL Injection vulnerability identified in the Front End Users plugin for WordPress, developed by rustaurius. This vulnerability affects all versions up to and including 3.2.28. The root cause is insufficient escaping and lack of prepared statements for the 'order' parameter, which is user-supplied. Authenticated attackers with Contributor-level or higher privileges can exploit this by injecting additional SQL queries into existing database commands. The attack vector is network-based with no user interaction required, making it relatively straightforward to exploit once authenticated. The vulnerability is time-based, meaning attackers can infer data by measuring response delays, enabling extraction of sensitive information such as user credentials, personal data, or configuration details. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

The exploitation of CVE-2024-7607 can lead to severe consequences for organizations running vulnerable versions of the Front End Users plugin. Attackers can extract sensitive database information, including user data, authentication credentials, and potentially administrative details, leading to data breaches and privacy violations. The integrity of the database can be compromised by injecting malicious queries, potentially altering or deleting critical data. Availability may also be affected if attackers execute queries that degrade database performance or cause denial of service. Since the vulnerability requires only Contributor-level access, attackers can leverage compromised or malicious user accounts to escalate their impact. This can undermine trust in affected websites, cause regulatory compliance issues, and result in financial and reputational damage. The widespread use of WordPress globally means that many organizations, from small businesses to large enterprises, could be affected if they use this plugin without patching or mitigation.

Organizations should immediately audit their WordPress installations to identify the presence of the Front End Users plugin and verify its version. Until an official patch is released, it is advisable to restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of exploitation. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'order' parameter can provide temporary protection. Monitoring database query logs for unusual or time-delayed queries can help detect exploitation attempts. Developers and administrators should encourage or contribute to the release of a patched plugin version that properly sanitizes and uses prepared statements for all user inputs. Regular backups of the database and website files should be maintained to enable recovery in case of compromise. Additionally, consider isolating the WordPress environment and limiting database user privileges to reduce the blast radius of any successful injection.