CVE-2024-13369
📋 TL;DR
This vulnerability allows authenticated attackers with Subscriber-level access or higher to perform time-based SQL injection attacks through the 'review_id' parameter in the Tour Master WordPress plugin. Attackers can extract sensitive database information by injecting malicious SQL queries. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Tour Master - Tour Booking, Travel, Hotel plugin for WordPress
📦 What is this software?
Tour Master by Goodlayers
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, payment information, personal data, and administrative access leading to site takeover.
Likely Case
Extraction of sensitive user data, plugin configuration details, and potentially WordPress user credentials.
If Mitigated
Limited data exposure if database permissions are properly restricted and monitoring detects unusual query patterns.
🎯 Exploit Status
Time-based SQL injection requires authentication but is relatively straightforward to exploit with standard SQL injection tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.7 or later
Vendor Advisory: https://support.goodlayers.com/document/changelog-tour-master-plugin/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins
3. Find Tour Master plugin
4. Click 'Update Now' if update available
5. If no update available, download version 5.3.7+ from vendor
6. Deactivate old plugin
7. Upload and activate new version
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Tour Master plugin until patched
wp plugin deactivate tour-master
Web Application Firewall Rule
allBlock SQL injection patterns targeting review_id parameter
🧯 If You Can't Patch
- Restrict database user permissions to SELECT only for plugin database user
- Implement rate limiting on authenticated endpoints and monitor for unusual query patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Tour Master version. If version is 5.3.6 or lower, system is vulnerable.Check Version:
wp plugin get tour-master --field=versionVerify Fix Applied:
Verify Tour Master plugin version is 5.3.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusually long database query execution times
- Multiple SQL queries containing review_id parameter with suspicious values
- Database error logs showing SQL syntax errors
Network Indicators:
- HTTP POST requests to tour-master endpoints with SQL injection patterns in review_id parameter
- Unusual timing patterns in response times
SIEM Query:
source="web_server_logs" AND uri="*tour-master*" AND (param="*review_id*" AND value="*SLEEP*" OR value="*WAITFOR*" OR value="*BENCHMARK*")