CVE-2024-0608
📋 TL;DR
This CVE describes a union-based SQL injection vulnerability in the WP ERP plugin for WordPress. Authenticated attackers with subscriber-level access or higher can exploit the 'email' parameter to execute arbitrary SQL queries and extract sensitive database information. All versions up to and including 1.12.9 are affected.
💻 Affected Systems
- WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress
📦 What is this software?
Wp Erp by Wedevs
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, financial data, personal information, and potential privilege escalation to administrative access.
Likely Case
Extraction of sensitive user data, plugin configuration secrets, and potential data exfiltration from the WordPress database.
If Mitigated
Limited impact with proper input validation, query parameterization, and database user privilege restrictions in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward due to direct SQL injection via the email parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.12.10 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/erp/trunk/includes/Admin/Ajax.php#L471
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP ERP' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.12.10+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Input Validation Filter
allAdd custom input validation for email parameter before plugin processes it
Add to theme's functions.php or custom plugin: add_filter('preprocess_email_param', function($email) { return filter_var($email, FILTER_VALIDATE_EMAIL) ? $email : ''; });
Temporary Plugin Deactivation
linuxDisable the vulnerable plugin until patched
wp plugin deactivate erp
🧯 If You Can't Patch
- Restrict user registration and limit subscriber accounts to trusted users only
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the email parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → WP ERP version. If version is 1.12.9 or lower, system is vulnerable.Check Version:
wp plugin get erp --field=versionVerify Fix Applied:
Confirm WP ERP plugin version is 1.12.10 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by successful subscriber login
- Unusual email parameter values in web server logs containing SQL syntax
Network Indicators:
- Unusual database connection patterns from web server
- Large data exfiltration from database server
SIEM Query:
source="web_server" AND (email="*UNION*" OR email="*SELECT*" OR email="*FROM*" OR email="*WHERE*")🔗 References
- https://plugins.trac.wordpress.org/browser/erp/trunk/includes/Admin/Ajax.php#L471
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79da7239-0343-465e-8dda-44ff440939c4?source=cve
- https://plugins.trac.wordpress.org/browser/erp/trunk/includes/Admin/Ajax.php#L471
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79da7239-0343-465e-8dda-44ff440939c4?source=cve
