CVE-2024-1173
📋 TL;DR
This vulnerability allows authenticated attackers with accounting manager or admin access to perform time-based SQL injection attacks via the id parameter in the WP ERP plugin. Attackers can extract sensitive information from the database by appending malicious SQL queries. Only WordPress sites using vulnerable versions of the WP ERP plugin are affected.
💻 Affected Systems
- WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress
📦 What is this software?
Wp Erp by Wedevs
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive HR, recruitment, CRM, and accounting data, potentially leading to data breach, privilege escalation, or full system takeover.
Likely Case
Extraction of sensitive business data including employee records, customer information, financial data, and potentially credential harvesting.
If Mitigated
Limited impact due to proper access controls, but still potential for data exposure within the attacker's authorized scope.
🎯 Exploit Status
Exploitation requires authenticated access but uses common SQL injection techniques. Time-based attacks make detection more difficult.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.13.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3071807/erp/trunk/modules/accounting/includes/functions/people.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WP ERP plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the accounting module if not essential
Restrict user privileges
allReview and reduce accounting manager/admin privileges to minimum necessary
🧯 If You Can't Patch
- Implement strict WAF rules to block SQL injection patterns
- Enable database query logging and monitoring for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > WP ERP version. If version is 1.13.1 or lower, you are vulnerable.Check Version:
wp plugin list --name=erp --field=versionVerify Fix Applied:
Verify WP ERP plugin version is higher than 1.13.1. Check the specific file at modules/accounting/includes/functions/people.php line 262 for proper parameter escaping.📡 Detection & Monitoring
Log Indicators:
- Unusually long database query execution times
- Multiple SQL queries from single user requests
- Suspicious parameter values containing SQL keywords
Network Indicators:
- Repeated requests with incremental id parameters
- Requests with SQL syntax in parameters
SIEM Query:
source="wordpress.log" AND ("id=" AND ("SLEEP" OR "WAITFOR" OR "BENCHMARK" OR pg_sleep))🔗 References
- https://plugins.trac.wordpress.org/browser/erp/trunk/modules/accounting/includes/functions/people.php#L262
- https://plugins.trac.wordpress.org/changeset/3071807/erp/trunk/modules/accounting/includes/functions/people.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/94772de9-6ab8-45ff-8b56-19b50a81b66f?source=cve
- https://plugins.trac.wordpress.org/browser/erp/trunk/modules/accounting/includes/functions/people.php#L262
- https://plugins.trac.wordpress.org/changeset/3071807/erp/trunk/modules/accounting/includes/functions/people.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/94772de9-6ab8-45ff-8b56-19b50a81b66f?source=cve
