WPExperts Square For GiveWP Vulnerability (Medium) – CVE-2024-47338

WPExperts Square For GiveWP Vulnerability (Medium) – CVE-2024-47338

by | Feb 26, 2026 | Plugins

Attack Vectors

CVE-2024-47338 affects the WPExperts Square For GiveWP WordPress plugin (slug: wpexperts-square-for-give) in versions up to and including 1.3. This is a Medium severity issue (CVSS 4.9) that can be exploited over the network without user interaction, but it requires authenticated access with Administrator-level permissions (or higher).

In practical terms, this risk is most relevant when Administrator access is gained through credential theft, shared accounts, weak access controls, or when multiple internal users/partners/vendors have elevated WordPress access. Once an attacker has that level of access, they may be able to leverage the plugin’s vulnerable functionality to extract sensitive data from the site’s database.

Reference: CVE-2024-47338

Security Weakness

The vulnerability is an SQL Injection caused by insufficient escaping of a user-supplied parameter and a lack of adequate preparation within an existing SQL query. This weakness can allow an authenticated attacker with Administrator-level access to append additional SQL to an existing query.

According to the public advisory, this can be used to extract sensitive information from the database. While the required privilege level is high (PR:H), this is still an important business risk because Administrator access is a frequent target in real-world attacks.

Source: Wordfence vulnerability record

Technical or Business Impacts

If exploited, this Medium severity SQL Injection vulnerability could lead to exposure of sensitive database information. Depending on what your WordPress database contains, that may include donor/customer records, operational details, or other data that increases fraud risk and creates regulatory or contractual concerns.

For marketing directors and business owners, the primary impact is not just technical—it’s business disruption and reputational damage. Data exposure incidents can trigger incident response costs, legal/compliance review, and potential customer trust erosion, especially for donation-driven campaigns where confidence and integrity are central to conversion.

Remediation: Update WPExperts Square For GiveWP to version 1.3.2 or a newer patched version.

Similar Attacks

SQL injection is a long-standing technique used in major real-world incidents to access sensitive data. Examples include:

Capital One (2019) — U.S. DOJ press release
Equifax (2017) — FTC settlement information

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers