CVE-2024-13533
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites using the Small Package Quotes – USPS Edition plugin. Attackers can extract sensitive information from the database by manipulating the 'edit_id' parameter. All WordPress sites with this plugin version 1.3.5 or earlier are affected.
💻 Affected Systems
- Small Package Quotes – USPS Edition WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, sensitive site data, and potential privilege escalation leading to full site takeover.
Likely Case
Data exfiltration of sensitive information stored in the WordPress database, including user data, plugin settings, and potentially other site content.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing successful injection.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it requires only web access and manipulation of a single parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.3.5
Vendor Advisory: https://plugins.trac.wordpress.org/browser/small-package-quotes-usps-edition/trunk/admin/tab/shipping-rules/shipping-rules-save.php#L77
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Small Package Quotes – USPS Edition'. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the vulnerable shipping-rules-save.php file via web server configuration
# For Apache: Add to .htaccess
<Files "shipping-rules-save.php">
Order allow,deny
Deny from all
</Files>
# For Nginx: Add to server block
location ~* /admin/tab/shipping-rules/shipping-rules-save\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Immediately deactivate and remove the plugin from all WordPress installations
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the edit_id parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Small Package Quotes – USPS Edition. If version is 1.3.5 or lower, you are vulnerable.Check Version:
# In WordPress admin: Plugins page shows version
# Or check file: wp-content/plugins/small-package-quotes-usps-edition/readme.txtVerify Fix Applied:
After update, verify plugin version is higher than 1.3.5 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WordPress/database logs
- Multiple requests to /wp-content/plugins/small-package-quotes-usps-edition/admin/tab/shipping-rules/shipping-rules-save.php with edit_id parameter manipulation
- Database error messages containing SQL syntax
Network Indicators:
- HTTP POST requests to shipping-rules-save.php with SQL injection payloads in edit_id parameter
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="*shipping-rules-save.php*" AND (query="*edit_id=*UNION*" OR query="*edit_id=*SELECT*" OR query="*edit_id=*INSERT*")🔗 References
- https://plugins.trac.wordpress.org/browser/small-package-quotes-usps-edition/trunk/admin/tab/shipping-rules/shipping-rules-save.php#L77
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3242060%40small-package-quotes-usps-edition&new=3242060%40small-package-quotes-usps-edition&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e67883-1f6c-4454-8d51-96fa2d1366d7?source=cve
