CVE-2024-13726
Published: 17 February 2025
Summary
CVE-2024-13726 is a high-severity SQL Injection (CWE-89) vulnerability in Themescoder Themes Coder. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The Coder WordPress plugin through version 1.3.4 contains a SQL injection vulnerability tracked as CVE-2024-13726. The flaw stems from insufficient sanitization and escaping of a parameter passed to an SQL statement inside an AJAX action handler, classified under CWE-89 with a CVSS 3.1 score of 8.6.
Unauthenticated attackers can invoke the affected AJAX endpoint over the network to inject arbitrary SQL, enabling extraction of sensitive data from the database with high confidentiality impact and changed scope.
The referenced WPScan advisory at https://wpscan.com/vulnerability/ec226d22-0c09-4e7c-86ec-b64819089b60/ documents the issue but supplies no explicit mitigation details in the available record. The associated EPSS score has remained flat at 0.1523 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51737
Vulnerability details
The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated SQL injection in public-facing WordPress plugin enables remote exploitation for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs like the unauthenticated AJAX parameter before use in SQL statements, preventing SQL injection exploitation.
Mandates timely identification, reporting, and patching of flaws such as this SQL injection vulnerability in the Coder WordPress plugin.
Requires vulnerability scanning that would identify SQL injection flaws in plugins like Coder through version 1.3.4, enabling proactive remediation.