CVE-2024-13184
Published: 18 January 2025
Summary
CVE-2024-13184 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13184 is a time-based SQL injection vulnerability in The Ultimate WordPress Toolkit – WP Extended plugin for WordPress, affecting all versions up to and including 3.0.12. The flaw exists in the Login Attempts module due to insufficient escaping of user-supplied parameters and lack of sufficient preparation on existing SQL queries, allowing attackers to append additional SQL queries.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation enables extraction of sensitive information from the database by injecting time-based SQL payloads into existing queries.
Advisories and plugin resources indicate mitigation through patching, with changeset 3220003 addressing the issue in the plugin's trac repository at line 105 of the wpext_limit_login_attempts.php file. Further details are provided in the Wordfence threat intelligence report and the plugin's developer page on WordPress.org.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51406
Vulnerability details
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to time-based SQL Injection via the Login Attempts module in all versions up to, and including, 3.0.12 due to insufficient escaping on the user supplied parameter and…
more
lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated SQLi in public WP plugin enables T1190 exploitation; resulting DB data extraction maps to T1213.006.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-supplied parameters before use in SQL queries, directly addressing the insufficient escaping and preparation that enables time-based SQL injection.
Mandates timely remediation of flaws, including patching the WP Extended plugin to fix the SQL injection vulnerability as addressed in changeset 3220003.
Enables vulnerability scanning to identify SQL injection issues like CVE-2024-13184 in web plugins, facilitating detection and prioritization for remediation.