Cyber Resilience

CVE-2024-13184

High

Published: 18 January 2025

Published
18 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0128 80.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13184 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13184 is a time-based SQL injection vulnerability in The Ultimate WordPress Toolkit – WP Extended plugin for WordPress, affecting all versions up to and including 3.0.12. The flaw exists in the Login Attempts module due to insufficient escaping of user-supplied parameters and lack of sufficient preparation on existing SQL queries, allowing attackers to append additional SQL queries.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation enables extraction of sensitive information from the database by injecting time-based SQL payloads into existing queries.

Advisories and plugin resources indicate mitigation through patching, with changeset 3220003 addressing the issue in the plugin's trac repository at line 105 of the wpext_limit_login_attempts.php file. Further details are provided in the Wordfence threat intelligence report and the plugin's developer page on WordPress.org.

EU & UK References

Vulnerability details

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to time-based SQL Injection via the Login Attempts module in all versions up to, and including, 3.0.12 due to insufficient escaping on the user supplied parameter and…

more

lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Direct unauthenticated SQLi in public WP plugin enables T1190 exploitation; resulting DB data extraction maps to T1213.006.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied parameters before use in SQL queries, directly addressing the insufficient escaping and preparation that enables time-based SQL injection.

prevent

Mandates timely remediation of flaws, including patching the WP Extended plugin to fix the SQL injection vulnerability as addressed in changeset 3220003.

detect

Enables vulnerability scanning to identify SQL injection issues like CVE-2024-13184 in web plugins, facilitating detection and prioritization for remediation.

References