CVE-2024-13531 – This SQL injection vulnerability in the ShipEng... (How to Fix)

Q: What is the severity of CVE-2024-13531?

CVE-2024-13531 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in the ShipEngine Shipping Quotes WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries through the 'edit_id' parameter. All WordPress sites using this plugin version 1.0.7 or earlier are affected, potentially exposing sensitive database information.

📋 TL;DR

This SQL injection vulnerability in the ShipEngine Shipping Quotes WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries through the 'edit_id' parameter. All WordPress sites using this plugin version 1.0.7 or earlier are affected, potentially exposing sensitive database information.

💻 Affected Systems

Products:

ShipEngine Shipping Quotes WordPress Plugin

Versions: All versions up to and including 1.0.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Shipengine Shipping Quotes by Enituretechnology

View all CVEs affecting Shipengine Shipping Quotes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of user credentials, sensitive site data, and potential privilege escalation to full site takeover.

🟠

Likely Case

Extraction of sensitive data from WordPress database including user information, plugin settings, and potentially authentication hashes.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation means any internet-facing WordPress site with this plugin is vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET/POST parameter requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.0.8 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3151268/shipengine-shipping-quotes/trunk/admin/tab/shipping-rules/shipping-rules-save.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find ShipEngine Shipping Quotes plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.0.8+ from WordPress repository.

🔧 Temporary Workarounds

Disable vulnerable plugin

WordPress

Temporarily deactivate the ShipEngine Shipping Quotes plugin until patched version can be installed.

wp plugin deactivate shipengine-shipping-quotes

Web Application Firewall rule

all

Block requests containing SQL injection patterns targeting the edit_id parameter.

🧯 If You Can't Patch

Implement strict network access controls to limit plugin access to trusted IPs only
Deploy a web application firewall with SQL injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > ShipEngine Shipping Quotes > Version. If version is 1.0.7 or lower, you are vulnerable.

Check Version:

wp plugin get shipengine-shipping-quotes --field=version

Verify Fix Applied:

Verify plugin version is 1.0.8 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in WordPress debug logs
Multiple requests to shipping-rules-save.php with suspicious edit_id parameters
Database query patterns with UNION SELECT or other SQL injection signatures

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in edit_id parameter
Unusual traffic to /wp-content/plugins/shipengine-shipping-quotes/admin/tab/shipping-rules/shipping-rules-save.php

SIEM Query:

source="wordpress.log" AND ("shipping-rules-save.php" OR "edit_id") AND ("SQL" OR "syntax" OR "SELECT" OR "UNION")

📊 Metadata

CVE ID: CVE-2024-13531

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.48% exploit probability (64.7th percentile)

Published: February 12, 2025

Last Updated: February 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13531, you might also want to check these: