Login Sign Up

CVE-2024-12109

4.1 MEDIUM
SQL Injection

📋 TL;DR

This vulnerability allows WordPress administrators to perform SQL injection attacks through the Product Labels For Woocommerce (Sale Badges) plugin. The plugin fails to properly sanitize user input before including it in SQL queries. Only WordPress sites using this specific plugin are affected.

💻 Affected Systems

Products:
  • Product Labels For Woocommerce (Sale Badges) WordPress plugin
Versions: All versions before 1.5.9
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress with WooCommerce and the vulnerable plugin installed. Exploitation requires admin-level access.

📦 What is this software?

Product Labels For Woocommerce \(sale Badges\) by Acowebs

View all CVEs affecting Product Labels For Woocommerce \(sale Badges\) →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated admin could execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or site takeover.

🟠

Likely Case

An admin with malicious intent could extract sensitive data from the WordPress database, including user credentials, payment information, or other confidential content.

🟢

If Mitigated

With proper access controls limiting admin privileges to trusted users only, the risk is significantly reduced since exploitation requires admin credentials.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin-level access to WordPress. The SQL injection vulnerability is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.9

Vendor Advisory: https://wpscan.com/vulnerability/2eca2f88-c843-4794-8cd9-46f17c92753a/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Product Labels For Woocommerce (Sale Badges)'. 4. Click 'Update Now' if available, or manually update to version 1.5.9 or later.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the plugin until patched

wp plugin deactivate product-labels-for-woocommerce-sale-badges

Restrict admin access

all

Limit WordPress admin access to only essential, trusted users

🧯 If You Can't Patch

  • Implement strict access controls to limit WordPress admin privileges to only essential personnel
  • Monitor database logs for unusual SQL queries or admin user activity patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Product Labels For Woocommerce (Sale Badges) → View version number

Check Version:

wp plugin get product-labels-for-woocommerce-sale-badges --field=version

Verify Fix Applied:

Confirm plugin version is 1.5.9 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in WordPress/database logs from admin users
  • Multiple failed login attempts followed by successful admin login

Network Indicators:

  • Unusual database connection patterns from WordPress server

SIEM Query:

source="wordpress_logs" AND ("sql injection" OR "admin" AND "database query")

📊 Metadata

CVE ID: CVE-2024-12109
CVSS v3 Score: 4.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
CWE: CWE-89
EPSS Score: 0.1% exploit probability (26.7th percentile)
Published: March 25, 2025
Last Updated: April 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12109, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)