CVE-2024-0594
📋 TL;DR
This vulnerability allows authenticated attackers with subscriber-level access or higher to perform union-based SQL injection via the 'q' parameter in the Awesome Support WordPress plugin. Attackers can extract sensitive information from the database by appending malicious SQL queries. All WordPress sites using Awesome Support plugin versions up to 6.1.7 are affected.
💻 Affected Systems
- Awesome Support – WordPress HelpDesk & Support Plugin
📦 What is this software?
Awesome Support by Getawesomesupport
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, personal data, and administrative access leading to site takeover.
Likely Case
Extraction of sensitive user data, plugin configuration secrets, and potential privilege escalation.
If Mitigated
Limited data exposure if proper input validation and prepared statements are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but SQL injection via union queries is well-documented and easily automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.8
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Awesome Support plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 6.1.8+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allRemove or restrict access to the wpas_get_users action endpoint
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_wpas_get_users', 'wpas_get_users'); remove_action('wp_ajax_nopriv_wpas_get_users', 'wpas_get_users');
Input validation filter
allAdd input sanitization for the 'q' parameter
Add to theme's functions.php: add_filter('wpas_get_users_query', function($query) { if(isset($_REQUEST['q'])) { $_REQUEST['q'] = sanitize_text_field($_REQUEST['q']); } return $query; });
🧯 If You Can't Patch
- Restrict user registration and review existing subscriber accounts for suspicious activity
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the wpas_get_users endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Awesome Support version. If version ≤ 6.1.7, vulnerable.Check Version:
wp plugin get awesome-support --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is 6.1.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to /wp-admin/admin-ajax.php with action=wpas_get_users and unusual 'q' parameter values
- Database error logs showing SQL syntax errors
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with SQL keywords in parameters
- Unusual data extraction patterns from authenticated sessions
SIEM Query:
source="web_access" AND uri="/wp-admin/admin-ajax.php" AND params.action="wpas_get_users" AND (params.q CONTAINS "UNION" OR params.q CONTAINS "SELECT" OR params.q CONTAINS "FROM")🔗 References
- https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L1279
- https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L765
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a?source=cve
- https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L1279
- https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L765
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a?source=cve
