CVE-2024-13532
📋 TL;DR
This SQL injection vulnerability in the Small Package Quotes – Purolator Edition WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries through the 'edit_id' and 'dropship_edit_id' parameters. Attackers can extract sensitive database information including user credentials, plugin data, and potentially WordPress core data. All WordPress sites using this plugin up to version 3.6.4 are affected.
💻 Affected Systems
- Small Package Quotes – Purolator Edition WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover
Likely Case
Extraction of sensitive plugin data, user information, and potential WordPress database access
If Mitigated
Limited information disclosure if database permissions are properly restricted
🎯 Exploit Status
Direct parameter manipulation in HTTP requests, no authentication required
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.6.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Small Package Quotes – Purolator Edition'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 3.6.5+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
WordPressDisable the vulnerable plugin until patched
wp plugin deactivate small-package-quotes-purolator-edition
Web Application Firewall Rules
allBlock requests containing SQL injection patterns targeting edit_id and dropship_edit_id parameters
🧯 If You Can't Patch
- Disable the plugin immediately via WordPress admin or wp-cli
- Implement strict WAF rules to block SQL injection patterns and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Small Package Quotes – Purolator Edition' version 3.6.4 or earlierCheck Version:
wp plugin get small-package-quotes-purolator-edition --field=versionVerify Fix Applied:
Verify plugin version is 3.6.5 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- HTTP requests with SQL patterns in edit_id or dropship_edit_id parameters
- Multiple failed database queries from single IP
Network Indicators:
- HTTP POST/GET requests with SQL injection payloads
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND ("edit_id" OR "dropship_edit_id") AND ("UNION" OR "SELECT" OR "INSERT" OR "UPDATE" OR "DELETE" OR "OR 1=1")🔗 References
- https://plugins.trac.wordpress.org/browser/small-package-quotes-purolator-edition/trunk/warehouse-dropship/wild/includes/wild-delivery-save.php#L237
- https://plugins.trac.wordpress.org/browser/small-package-quotes-purolator-edition/trunk/warehouse-dropship/wild/includes/wild-delivery-save.php#L346
- https://www.wordfence.com/threat-intel/vulnerabilities/id/813fe9d2-913c-4e04-bcb7-443eef95c62e?source=cve
