CVE-2024-0913
📋 TL;DR
This vulnerability allows authenticated attackers with accounting manager or admin privileges in the WP ERP plugin to perform time-based SQL injection attacks. By exploiting insufficient input validation in the sales transactions REST API endpoint, attackers can extract sensitive database information. All WordPress sites using WP ERP plugin versions up to 1.12.9 are affected.
💻 Affected Systems
- WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress
📦 What is this software?
Wp Erp by Wedevs
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive user data, financial records, authentication credentials, and potential privilege escalation to full system access.
Likely Case
Extraction of sensitive business data including customer information, financial transactions, employee records, and potentially authentication hashes.
If Mitigated
Limited data exposure if proper network segmentation and database permissions are configured, but still significant risk to plugin-managed data.
🎯 Exploit Status
Exploitation requires valid admin/accounting manager credentials. Time-based injection makes detection more difficult but exploitation slower.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.10 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/erp/trunk/modules/accounting/includes/functions/transactions.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP ERP' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.12.10+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allTemporarily disable the erp/v1/accounting/v1/transactions/sales REST API endpoint
Add to theme functions.php or custom plugin: add_filter('rest_endpoints', function($endpoints){ unset($endpoints['/erp/v1/accounting/v1/transactions/sales']); return $endpoints; });
Restrict user privileges
allTemporarily remove accounting manager privileges from non-essential users
Navigate to WP ERP → HR → Employees → Edit user roles → Remove 'Accounting Manager' from non-essential users
🧯 If You Can't Patch
- Implement strict network access controls to limit access to WordPress admin interface
- Enable Web Application Firewall (WAF) with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → WP ERP version. If version ≤ 1.12.9, you are vulnerable.Check Version:
wp plugin list --name='WP ERP' --field=version (if WP-CLI installed) or check WordPress admin plugins pageVerify Fix Applied:
After update, verify WP ERP version is 1.12.10 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple slow requests to /wp-json/erp/v1/accounting/v1/transactions/sales endpoint
- Admin users making unusual API calls
Network Indicators:
- Repeated POST requests to vulnerable endpoint with SQL-like parameters
- Unusual timing patterns in API responses
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/erp/v1/accounting/v1/transactions/sales" AND (param="status" OR param="customer_id") AND response_time>5000)🔗 References
- https://plugins.trac.wordpress.org/browser/erp/trunk/modules/accounting/includes/functions/transactions.php#L42
- https://www.wordfence.com/threat-intel/vulnerabilities/id/592440ab-60ac-419f-b615-e5617460aea9?source=cve
- https://plugins.trac.wordpress.org/browser/erp/trunk/modules/accounting/includes/functions/transactions.php#L42
- https://www.wordfence.com/threat-intel/vulnerabilities/id/592440ab-60ac-419f-b615-e5617460aea9?source=cve
