CVE-2024-13496
Published: 22 January 2025
Summary
CVE-2024-13496 is a high-severity SQL Injection (CWE-89) vulnerability in Gamipress Gamipress. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The GamiPress – Gamification plugin for WordPress, which enables points, achievements, badges, and ranks, contains a time-based SQL injection vulnerability in the orderby parameter. The flaw stems from insufficient escaping of user-supplied input and inadequate preparation of SQL queries, affecting all versions through 7.3.1; the correct remediation version is 7.3.2. This issue is tracked as CWE-89 and carries a CVSS 3.1 score of 7.5.
Unauthenticated attackers can supply a malicious orderby value to append arbitrary SQL to existing queries, enabling extraction of sensitive database contents without authentication or user interaction.
Advisories and the plugin changelog indicate that the issue was addressed in version 7.3.2 via updates to the affected AJAX and query-handling code paths; site administrators should update immediately through the WordPress plugin directory or apply the referenced changeset.
The EPSS score rose from a low baseline to a peak of 0.4139 on 2025-12-11 before receding to the current value of 0.1931, indicating that exploitation interest emerged after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51632
Vulnerability details
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on…
more
the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was previously published as being fixed in version 7.2.2 which was incorrect. The correct fixed version is 7.3.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in public-facing WordPress plugin enables exploitation of the web application for database data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the SQL injection flaw in the GamiPress plugin by updating to the patched version 7.3.2.
Mandates validation and sanitization of user-supplied inputs like the 'orderby' parameter to prevent injection of malicious SQL payloads into database queries.
Provides for vulnerability scanning to identify SQL injection issues in plugins like GamiPress and subsequent remediation to mitigate exploitation.