CVE-2024-13594
📋 TL;DR
The Simple Downloads List WordPress plugin contains a SQL injection vulnerability in the 'neofix_sdl' shortcode's 'category' parameter. Authenticated attackers with Contributor-level access or higher can exploit this to extract sensitive database information. All WordPress sites using this plugin up to version 1.4.2 are affected.
💻 Affected Systems
- WordPress Simple Downloads List plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, sensitive site data, and potential privilege escalation leading to full site takeover.
Likely Case
Extraction of sensitive information like user emails, hashed passwords, and plugin/theme data that could enable further attacks.
If Mitigated
Limited impact if proper input validation and prepared statements are implemented, restricting data extraction to non-sensitive tables.
🎯 Exploit Status
Exploitation requires authenticated access but uses common SQL injection techniques that are easily automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Simple Downloads List and click 'Update Now'. 4. Verify version is 1.4.3 or higher.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the 'neofix_sdl' shortcode usage across the site
Search posts/pages for [neofix_sdl] and remove or replace
Restrict user roles
allTemporarily remove Contributor and higher roles from untrusted users
Navigate to Users → All Users and adjust role permissions
🧯 If You Can't Patch
- Deactivate the Simple Downloads List plugin immediately
- Implement web application firewall rules to block SQL injection patterns targeting the 'category' parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Simple Downloads List version. If version is 1.4.2 or lower, you are vulnerable.Check Version:
wp plugin list --name='simple-downloads-list' --field=versionVerify Fix Applied:
After updating, confirm plugin version shows 1.4.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries containing 'neofix_sdl' or 'category' parameter manipulation
- Multiple failed login attempts followed by SQL-like requests
Network Indicators:
- POST/GET requests with SQL injection payloads in 'category' parameter
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND ("neofix_sdl" OR "category=") AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "UPDATE")🔗 References
- https://plugins.trac.wordpress.org/browser/simple-downloads-list/trunk/lists/list_1/download_list_1.php#L20
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3226486%40simple-downloads-list&new=3226486%40simple-downloads-list&sfp_email=&sfph_mail=#file14
- https://www.wordfence.com/threat-intel/vulnerabilities/id/49f5bb21-d18f-453b-bef4-e3b234d162c8?source=cve
