A high-severity vulnerability has been identified in the "All in one Minifier" plugin for WordPress. This flaw, a SQL Injection, could allow an unauthenticated attacker to manipulate the website's database by sending a specially crafted request. Successful exploitation could lead to unauthorized access, modification, or theft of sensitive data, including user information and website content.

The plugin is vulnerable to a SQL Injection attack due to insufficient sanitization of user-supplied data in the 'post_id' parameter. An attacker can inject malicious SQL queries into this parameter within a web request. Because the application fails to properly validate this input, the malicious code is executed directly by the backend database, granting the attacker the ability to read, modify, or delete database records and potentially escalate their privileges.

This vulnerability is rated as high severity with a CVSS score of 7.5. Exploitation could have significant business consequences, including a data breach of sensitive customer or user information, leading to reputational damage and potential regulatory fines. An attacker could also deface the website, delete content, or disrupt business operations by corrupting the database. The direct financial impact could stem from incident response costs, customer notification expenses, and loss of business due to service unavailability or diminished customer trust.

Immediate Action:

• Update: Immediately update the "All in one Minifier" plugin to the latest available version (greater than version 3) where the vulnerability has been patched.
• Review and Remove: If the plugin is not essential for business operations, the most secure course of action is to disable and completely uninstall it to eliminate the attack surface.
• Security Review: Conduct a review of all WordPress plugins and themes to ensure they are up-to-date and necessary.

Proactive Monitoring:

• Web Server Logs: Monitor web server access logs for requests containing suspicious patterns in the 'post_id' parameter, such as SQL keywords (UNION, SELECT, --), special characters, or abnormally long strings.
• WAF/IDS Logs: Review Web Application Firewall (WAF) and Intrusion Detection/Prevention System (IDS/IPS) logs for alerts related to SQL Injection signatures targeting the affected website.
• Database Activity: Monitor for unusual database queries, unexpected errors, or unauthorized access attempts in the database logs.

Compensating Controls:

• Web Application Firewall (WAF): Implement a WAF with a robust ruleset configured to detect and block common SQL Injection attack patterns. This can serve as a virtual patch if immediate updating is not feasible.
• Database Permissions: Ensure the database user account associated with the WordPress application operates under the principle of least privilege and does not have permissions to alter database structure or access sensitive system tables.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for severe data compromise, immediate remediation is strongly recommended. Organizations must prioritize patching the "All in one Minifier" plugin on all WordPress instances. If the plugin's functionality is not critical, it should be removed entirely. Although this vulnerability is not currently listed on the CISA KEV catalog, its critical nature warrants urgent attention to prevent potential exploitation.