CVE-2024-22147 – This SQL injection vulnerability in the WP Over... (How to Fix)

Q: What is the severity of CVE-2024-22147?

CVE-2024-22147 has a CVSS score of 7.6 (HIGH). This SQL injection vulnerability in the WP Overnight PDF Invoices & Packing Slips for WooCommerce WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all versions up to 3.7.5, potentially compromising any WordPress site using this plugin.

📋 TL;DR

This SQL injection vulnerability in the WP Overnight PDF Invoices & Packing Slips for WooCommerce WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all versions up to 3.7.5, potentially compromising any WordPress site using this plugin.

💻 Affected Systems

Products:

WP Overnight PDF Invoices & Packing Slips for WooCommerce

Versions: All versions up to and including 3.7.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce installed and the vulnerable plugin activated.

📦 What is this software?

Woocommerce Pdf Invoices\& Packing Slips by Wpovernight

View all CVEs affecting Woocommerce Pdf Invoices\& Packing Slips →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, and full site takeover.

🟠

Likely Case

Unauthorized data access, including sensitive customer information and order details.

🟢

If Mitigated

Limited impact with proper input validation and database permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.6 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/woocommerce-pdf-invoices-packing-slips/wordpress-pdf-invoices-packing-slips-for-woocommerce-plugin-3-7-5-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'PDF Invoices & Packing Slips for WooCommerce'. 4. Click 'Update Now' if available, or download version 3.7.6+ from WordPress.org. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate woocommerce-pdf-invoices-packing-slips

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection rules.
Restrict database user permissions to minimum required.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins.

Check Version:

wp plugin get woocommerce-pdf-invoices-packing-slips --field=version

Verify Fix Applied:

Verify plugin version is 3.7.6 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP

Network Indicators:

HTTP requests with SQL syntax in parameters

SIEM Query:

source="web_server" AND (url="*wp-content/plugins/woocommerce-pdf-invoices-packing-slips/*" AND (param="*' OR *" OR param="*;--*"))

📊 Metadata

CVE ID: CVE-2024-22147

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

Published: January 27, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22147, you might also want to check these: