Cyber Resilience

CVE-2024-13496

High

Published: 22 January 2025

Published
22 January 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1931 95.5th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13496 is a high-severity SQL Injection (CWE-89) vulnerability in Gamipress Gamipress. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The GamiPress – Gamification plugin for WordPress, which enables points, achievements, badges, and ranks, contains a time-based SQL injection vulnerability in the orderby parameter. The flaw stems from insufficient escaping of user-supplied input and inadequate preparation of SQL queries, affecting all versions through 7.3.1; the correct remediation version is 7.3.2. This issue is tracked as CWE-89 and carries a CVSS 3.1 score of 7.5.

Unauthenticated attackers can supply a malicious orderby value to append arbitrary SQL to existing queries, enabling extraction of sensitive database contents without authentication or user interaction.

Advisories and the plugin changelog indicate that the issue was addressed in version 7.3.2 via updates to the affected AJAX and query-handling code paths; site administrators should update immediately through the WordPress plugin directory or apply the referenced changeset.

The EPSS score rose from a low baseline to a peak of 0.4139 on 2025-12-11 before receding to the current value of 0.1931, indicating that exploitation interest emerged after public disclosure.

EU & UK References

Vulnerability details

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on…

more

the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was previously published as being fixed in version 7.2.2 which was incorrect. The correct fixed version is 7.3.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote SQL injection in public-facing WordPress plugin enables exploitation of the web application for database data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13499Same product: Gamipress Gamipress
CVE-2024-13495Same product: Gamipress Gamipress
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89

Affected Assets

gamipress
gamipress
≤ 7.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the SQL injection flaw in the GamiPress plugin by updating to the patched version 7.3.2.

prevent

Mandates validation and sanitization of user-supplied inputs like the 'orderby' parameter to prevent injection of malicious SQL payloads into database queries.

preventdetect

Provides for vulnerability scanning to identify SQL injection issues in plugins like GamiPress and subsequent remediation to mitigate exploitation.

References