CVE-2024-13234 – The Product Table by WBW WordPress plugin conta... (How to Fix)

Q: What is the severity of CVE-2024-13234?

CVE-2024-13234 has a CVSS score of 7.5 (HIGH). The Product Table by WBW WordPress plugin contains an SQL injection vulnerability in the 'additionalCondition' parameter. Unauthenticated attackers can exploit this to execute arbitrary SQL queries and extract sensitive database information. All WordPress sites using this plugin version 2.1.2 or earlier are affected.

📋 TL;DR

The Product Table by WBW WordPress plugin contains an SQL injection vulnerability in the 'additionalCondition' parameter. Unauthenticated attackers can exploit this to execute arbitrary SQL queries and extract sensitive database information. All WordPress sites using this plugin version 2.1.2 or earlier are affected.

💻 Affected Systems

Products:

Product Table by WBW WordPress plugin

Versions: All versions up to and including 2.1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and active on WordPress sites.

📦 What is this software?

Product Table by Woobewoo

View all CVEs affecting Product Table →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credentials, sensitive customer data, and administrative access leading to site takeover.

🟠

Likely Case

Data exfiltration of user information, product data, and potentially WordPress configuration details.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attackers can exploit this without authentication by manipulating the additionalCondition parameter in requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.1.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3221872%40woo-product-tables&new=3221872%40woo-product-tables&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Product Table by WBW' and click 'Update Now'. 4. Verify plugin version is higher than 2.1.2.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the plugin until patched version is available

Web Application Firewall rule

all

Block requests containing SQL injection patterns targeting the additionalCondition parameter

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-supplied parameters
Deploy a web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Product Table by WBW' version 2.1.2 or lower

Check Version:

wp plugin list --name='product-table-by-wbw' --field=version

Verify Fix Applied:

Confirm plugin version is higher than 2.1.2 after update

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple requests with SQL-like patterns in additionalCondition parameter
Unexpected database errors

Network Indicators:

HTTP requests with SQL injection payloads in parameters
Unusual traffic patterns to plugin endpoints

SIEM Query:

SELECT * FROM web_logs WHERE url LIKE '%additionalCondition%' AND (request_body LIKE '%UNION%' OR request_body LIKE '%SELECT%' OR request_body LIKE '%INSERT%')

📊 Metadata

CVE ID: CVE-2024-13234

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.88% exploit probability (74.9th percentile)

Published: January 23, 2025

Last Updated: February 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13234, you might also want to check these: