CVE-2024-13232
Published: 05 March 2025
Summary
CVE-2024-13232 is a high-severity Missing Authorization (CWE-862) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the arbitrary SQL execution flaw in the WordPress plugin by identifying, reporting, and applying patches to versions beyond 4.1.1.
Enforces approved authorizations to block low-privilege authenticated users from accessing the vulnerable renderImport() function lacking capability checks.
Validates and sanitizes inputs to the renderImport() function, preventing arbitrary SQL statements from being executed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a missing authorization check enabling arbitrary SQL execution in a public-facing WordPress plugin, directly facilitating privilege escalation via creation of admin accounts (T1068) and exploitation of the web application (T1190).
NVD Description
The WordPress Awesome Import & Export Plugin - Import & Export WordPress Data plugin for WordPress is vulnerable arbitrary SQL Execution and privilege escalation due to a missing capability check on the renderImport() function in all versions up to, and…
more
including, 4.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary SQL statements that can leveraged to create a new administrative user account.
Deeper analysisAI
CVE-2024-13232 is an arbitrary SQL execution and privilege escalation vulnerability in the WordPress Awesome Import & Export Plugin, also referred to as the Import & Export WordPress Data plugin for WordPress. The issue arises from a missing capability check in the renderImport() function, affecting all versions up to and including 4.1.1. It is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability over the network with low complexity and no user interaction. By calling the renderImport() function, they can execute arbitrary SQL statements, which can be leveraged to create a new administrative user account, potentially granting full control over the WordPress site.
Advisories and further details are available from Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f24f0673-b5c8-4086-8795-692228a413af?source=cve and the plugin's CodeCanyon page at https://codecanyon.net/item/wordpress-awesome-import-export-plugin-v-24/12896266. Security practitioners should review these sources for patch information and mitigation guidance.
Details
- CWE(s)