CVE-2024-0952
📋 TL;DR
This vulnerability allows authenticated attackers with accounting manager or admin privileges in WordPress to perform time-based SQL injection attacks via the id parameter in the WP ERP plugin. Attackers can extract sensitive information from the database by injecting malicious SQL queries. Only WordPress sites using vulnerable versions of the WP ERP plugin are affected.
💻 Affected Systems
- WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress
📦 What is this software?
Wp Erp by Wedevs
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of sensitive user data, financial records, credentials, and potential privilege escalation to full system access.
Likely Case
Extraction of sensitive business data including customer information, financial records, and potentially credential harvesting from the WordPress database.
If Mitigated
Limited impact due to proper access controls, but still potential for data leakage from the database if exploited.
🎯 Exploit Status
Time-based SQL injection requires authentication but is relatively straightforward to exploit with basic SQL injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3060269/erp/tags/1.13.0/modules/accounting/includes/functions/people.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP ERP' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.13.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the WP ERP plugin until patched
wp plugin deactivate erp
wp plugin delete erp
Restrict user privileges
allTemporarily remove accounting manager and admin privileges from untrusted users
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WordPress installation
- Deploy web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP ERP version 1.12.9 or lowerCheck Version:
wp plugin get erp --field=versionVerify Fix Applied:
Verify WP ERP plugin version is 1.13.0 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual database queries with time delays
- Multiple failed login attempts followed by SQL injection patterns
- Unusual activity from accounting manager/admin accounts
Network Indicators:
- SQL injection patterns in HTTP POST/GET parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND ("id=" AND ("sleep(" OR "waitfor" OR "benchmark(" OR pg_sleep))🔗 References
- https://plugins.trac.wordpress.org/changeset/3060269/erp/tags/1.13.0/modules/accounting/includes/functions/people.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f3ba06f9-de51-49ea-87c1-4583e939314b?source=cve
- https://plugins.trac.wordpress.org/changeset/3060269/erp/tags/1.13.0/modules/accounting/includes/functions/people.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f3ba06f9-de51-49ea-87c1-4583e939314b?source=cve
