A high-severity vulnerability has been identified in the WP Dispatcher plugin for WordPress, which could allow an unauthenticated attacker to steal, modify, or delete sensitive information from the website's database. Successful exploitation could lead to a complete compromise of the affected website, resulting in data breaches and significant reputational damage. Immediate patching is required to mitigate this critical risk.

The WP Dispatcher plugin is vulnerable to a SQL Injection attack. An attacker can inject malicious SQL code into the ‘id’ parameter of a request processed by the plugin. Because the application fails to properly sanitize this user-supplied input before using it in a database query, the malicious code is executed by the database, allowing the attacker to bypass security measures and directly interact with the database.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation could have severe consequences for the business, including the unauthorized disclosure of sensitive data such as customer information, user credentials, and proprietary business data. An attacker could also manipulate or delete data, leading to website defacement, loss of data integrity, and disruption of business operations. A full site compromise could result in significant financial loss, regulatory fines, and lasting damage to the organization's reputation.

Immediate Action:

• Identify all WordPress instances running the vulnerable "WP Dispatcher" plugin.
• Update the plugin to the latest patched version immediately. If a patch is not yet available, disable and uninstall the plugin.
• If the plugin is not essential for business operations, it is recommended to remove it permanently to reduce the attack surface.

Proactive Monitoring:

• Review web server access logs for requests targeting the WP Dispatcher plugin, specifically looking for suspicious or malformed values in the ‘id’ parameter. Pay attention to entries containing SQL keywords like SELECT, UNION, INSERT, or comment characters like -- and #.
• Monitor database logs for unusual or unauthorized queries, especially those originating from the web server's user account that deviate from normal application behavior.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a robust ruleset to detect and block SQL Injection attempts against the web server.
• Ensure the WordPress database user account is configured with the principle of least privilege, limiting its ability to perform actions beyond what is strictly necessary for the application to function.

Public Exploit Available: false

Given the high severity (CVSS 8.8) of this vulnerability, we recommend immediate action. All administrators of WordPress websites should prioritize identifying and updating the WP Dispatcher plugin without delay. Although this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its critical nature makes it a prime target for opportunistic attackers. Proactive patching is the most effective defense and should be treated as an urgent priority to prevent potential data breaches and system compromise.