A critical vulnerability has been identified in the Mojoomla WPCHURCH plugin, which could allow a remote, unauthenticated attacker to access and manipulate the website's database. Successful exploitation could lead to the theft of sensitive information, such as user data and credentials, or a complete compromise of the affected website's data integrity.

The vulnerability is a Blind SQL Injection, which results from the application's failure to properly sanitize user-supplied input before incorporating it into an SQL query. An attacker can submit specially crafted input to a vulnerable parameter, which is then executed by the back-end database. Because this is a "blind" SQL injection, the attacker does not receive direct output from the database in the web response. Instead, they must infer data by observing the application's behavior—such as differences in response times or content—to true/false questions posed to the database, allowing them to exfiltrate data piece by piece.

This vulnerability is rated as critical severity with a CVSS score of 9.3. Exploitation could have a severe impact on the business, leading to a significant data breach. An attacker could exfiltrate the entire contents of the database, including sensitive user information, administrator credentials, and other confidential data. This could result in direct financial loss, severe reputational damage, loss of customer trust, and potential regulatory fines for non-compliance with data protection standards.

Immediate Action: Immediately update the Mojoomla WPCHURCH plugin to the latest version available (newer than 2.7.0) which addresses this vulnerability. After patching, it is crucial to monitor for any signs of post-patch exploitation attempts and review historical access logs for indicators of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Implement enhanced monitoring of web server and database logs. Look for suspicious requests containing SQL keywords (e.g., UNION, SELECT, SLEEP(), ' OR '1'='1') or time-based queries aimed at the application. Monitor for an unusual number of requests or unexpectedly long database response times, as these can be indicators of a Blind SQL injection attack in progress.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a ruleset designed to detect and block SQL injection attacks. Additionally, ensure the database user account associated with the web application operates with the principle of least privilege, limiting an attacker's ability to read from sensitive tables or modify the database structure.

Public Exploit Available: false

Given the critical severity (CVSS 9.3) of this vulnerability, immediate action is required. Organizations using the affected versions of the Mojoomla WPCHURCH plugin must prioritize applying the vendor-supplied patch to mitigate the risk of a data breach. Although this vulnerability is not currently listed on the CISA KEV catalog, its high potential for impact makes it an attractive target for attackers. Proactive remediation is essential to prevent potential data compromise and protect sensitive organizational and customer data.