CVE-2024-13781

6.5 MEDIUM

SQL Injection

📋 TL;DR

The Hero Maps Premium WordPress plugin contains a SQL injection vulnerability that allows authenticated attackers with Subscriber-level access or higher to execute arbitrary SQL queries. This can lead to unauthorized data extraction from the database, affecting all WordPress sites using vulnerable versions of this plugin.

💻 Affected Systems

Products:

• Hero Maps Premium WordPress Plugin

Versions: All versions up to and including 2.3.9

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the Hero Maps Premium plugin active. Attackers need at least Subscriber-level authenticated access.

📦 What is this software?

Hero Maps Premium by Heroplugins

View all CVEs affecting Hero Maps Premium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of sensitive user data, administrative credentials, and potential privilege escalation to full site control.

🟠

Likely Case

Unauthorized access to sensitive information stored in the database such as user credentials, personal data, or site configuration.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, restricting attackers to data they already have access to.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once authentication is obtained. SQL injection vulnerabilities are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.0 or later

Vendor Advisory: https://codecanyon.net/item/hero-maps-premium-responsive-google-maps-plugin/12577151

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Hero Maps Premium. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 2.4.0+ from CodeCanyon and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoints

all

Temporarily disable the vulnerable AJAX actions by modifying WordPress functions.php or using a security plugin to block specific endpoints.

Copy

Add to theme's functions.php: remove_action('wp_ajax_hero_maps_action', 'vulnerable_function'); remove_action('wp_ajax_nopriv_hero_maps_action', 'vulnerable_function');

Web Application Firewall rule

linux

Implement WAF rules to block SQL injection patterns targeting Hero Maps plugin endpoints.

Copy

ModSecurity rule: SecRule REQUEST_URI "@contains wp-admin/admin-ajax.php" "chain,id:1001,phase:2,deny,status:403,msg:'Hero Maps SQLi attempt'" SecRule ARGS "@detectSQLi"

🧯 If You Can't Patch

• Immediately disable the Hero Maps Premium plugin if patching is not possible.
• Implement strict network segmentation to isolate the vulnerable WordPress instance from sensitive databases.

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel → Plugins → Hero Maps Premium. If version is 2.3.9 or lower, the system is vulnerable.

Check Version:

Copy

wp plugin list --name=hero-maps-premium --field=version

Verify Fix Applied:

Copy

After updating, verify plugin version shows 2.4.0 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

• Unusual SQL queries in database logs containing 'hero_maps' references
• Multiple failed authentication attempts followed by successful logins from same IP
• AJAX requests to wp-admin/admin-ajax.php with SQL keywords in parameters

Network Indicators:

• HTTP POST requests to /wp-admin/admin-ajax.php with SQL injection payloads
• Unusual database connection patterns from web server

SIEM Query:

Copy

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (param="action" AND value="hero_maps*") AND (param="*" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|exec)")

📊 Metadata

CVE ID: CVE-2024-13781

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.1% exploit probability (28.6th percentile)

Published: March 7, 2025

Last Updated: March 13, 2025

🔗 References

• https://codecanyon.net/item/hero-maps-premium-responsive-google-maps-plugin/12577151 Product
• https://www.wordfence.com/threat-intel/vulnerabilities/id/8f394209-df80-491f-b700-cc06e54ea676?source=cve Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13781, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)

CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)

CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)