CVE-2024-13184
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform time-based SQL injection attacks against WordPress sites using the WP Extended plugin. Attackers can extract sensitive database information by manipulating login attempt tracking. All WordPress sites with WP Extended plugin versions up to 3.0.12 are affected.
💻 Affected Systems
- The Ultimate WordPress Toolkit – WP Extended
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, personal data, and administrative access leading to site takeover.
Likely Case
Extraction of sensitive user data, password hashes, and potentially administrative credentials from the database.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.
🎯 Exploit Status
Time-based blind SQL injection requires specialized tools and knowledge but is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.13 or later
Vendor Advisory: https://wordpress.org/plugins/wpextended/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Ultimate WordPress Toolkit – WP Extended'. 4. Click 'Update Now' if available. 5. If no update shows, manually download version 3.0.13+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Login Attempts Module
allTemporarily disable the vulnerable module until patching is possible
Web Application Firewall Rule
allBlock SQL injection patterns targeting the login attempts endpoint
🧯 If You Can't Patch
- Disable the WP Extended plugin entirely
- Implement strict network-level access controls to limit who can access the WordPress login page
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP Extended version. If version is 3.0.12 or lower, you are vulnerable.Check Version:
wp plugin list --name=wpextended --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.0.13 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- Multiple failed login attempts with SQL-like patterns in parameters
- Long response times on login pages
Network Indicators:
- HTTP requests to wp-login.php with SQL injection payloads
- Unusual timing patterns in login requests
SIEM Query:
source="wordpress.log" AND ("SQL syntax" OR "MySQL" OR "database error") AND "wp-login"🔗 References
- https://plugins.trac.wordpress.org/browser/wpextended/trunk/includes/modules/core_extensions/wpext_limit_login_attempts/wpext_limit_login_attempts.php#L105
- https://plugins.trac.wordpress.org/changeset/3220003/
- https://wordpress.org/plugins/wpextended/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/abab29c7-88a9-4c6f-9691-ed9087cde2ff?source=cve
