CVE-2024-38788

HIGH

UiPress lite < 3.4.06 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-38788. PoCs published by certuscyber.

AI-analyzed exploit summary The repository contains functional exploit code for multiple WordPress plugin vulnerabilities, including SQL injection (CVE-2014-5182, CVE-2014-5185) and insecure deserialization (CVE-2020-29045). The PoCs demonstrate authentication, payload delivery, and data exfiltration.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bởi Admin 2020 UiPress lite allows SQL Injection.This issue affects UiPress lite: from n/a through 3.4.06.

Exploits (1)

github WORKING POC 3 stars
by certuscyber · pythonpoc
https://github.com/certuscyber/cve-pocs/tree/main/CVE-2024-38788

The repository contains functional exploit code for multiple WordPress plugin vulnerabilities, including SQL injection (CVE-2014-5182, CVE-2014-5185) and insecure deserialization (CVE-2020-29045). The PoCs demonstrate authentication, payload delivery, and data exfiltration.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress YAWPP plugin <= 1.2, WordPress Quartz plugin <= 1.01.1
Auth required
Prerequisites: WordPress installation with vulnerable plugin · Valid user credentials (contributor role or higher)
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.6
EPSS 0.0061
EPSS Percentile 44.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
Bởi Admin 2020/UiPress lite < 3.4.06
uipress/uipress_lite < 3.4.07
Published Jul 22, 2024
Tracked Since Feb 18, 2026