CVE-2024-38793

HIGH

Best Restaurant Menu by PriceListo <= 1.4.1 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-38793. PoCs published by ret2desync.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2024-38793, an authenticated SQL injection vulnerability in the WordPress plugin 'Best Restaurant Menu by PriceListo' (versions <= 1.4.1). The exploit automates login, post creation, and SQLi payload injection to extract user credentials (usernames and password hashes).

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PriceListo Best Restaurant Menu by PriceListo allows SQL Injection.This issue affects Best Restaurant Menu by PriceListo: from n/a through 1.4.1.

Exploits (1)

nomisec WORKING POC
by ret2desync · poc
https://github.com/ret2desync/CVE-2024-38793-PoC

This repository contains a functional Python exploit for CVE-2024-38793, an authenticated SQL injection vulnerability in the WordPress plugin 'Best Restaurant Menu by PriceListo' (versions <= 1.4.1). The exploit automates login, post creation, and SQLi payload injection to extract user credentials (usernames and password hashes).

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Best Restaurant Menu by PriceListo WordPress plugin <= 1.4.1
Auth required
Prerequisites: WordPress instance with vulnerable plugin installed · Contributor+ privileges
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.5
EPSS 0.0118
EPSS Percentile 63.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
PriceListo/Best Restaurant Menu by PriceListo < 1.4.1
pricelisto/great_restaurant_menu_wp < 1.4.2
Published Aug 29, 2024
Tracked Since Feb 18, 2026