CVE-2024-32125 – This SQL injection vulnerability in the WordPre... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in the WordPress BA Book Everything plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites using this plugin from any version up to 1.6.4. Successful exploitation could lead to data theft, modification, or deletion.

💻 Affected Systems

Products:

WordPress BA Book Everything plugin

Versions: n/a through 1.6.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin activated

📦 What is this software?

Ba Book Everything by Ba Booking

View all CVEs affecting Ba Book Everything →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation, or full site takeover

🟠

Likely Case

Unauthorized data access, modification of booking records, or extraction of sensitive user information

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, or WAF protection

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited and tooling exists for automated exploitation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.5 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/ba-book-everything/wordpress-ba-book-everything-plugin-1-6-4-sql-injection-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'BA Book Everything'
4. Click 'Update Now' if available
5. If no update appears, download version 1.6.5+ from WordPress repository
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules

Plugin Deactivation

linux

Temporarily disable the BA Book Everything plugin

wp plugin deactivate ba-book-everything

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in custom code
Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → BA Book Everything version number

Check Version:

wp plugin get ba-book-everything --field=version

Verify Fix Applied:

Confirm plugin version is 1.6.5 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in WordPress debug logs
Multiple failed SQL queries with unusual patterns

Network Indicators:

HTTP requests with SQL keywords in parameters (SELECT, UNION, etc.)
Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND ("SQL syntax" OR "database error" OR "wp_" AND (SELECT OR UNION OR DROP))

📊 Metadata

CVE ID: CVE-2024-32125

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

Published: April 15, 2024

Last Updated: March 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32125, you might also want to check these: