CVE-2024-33551 – This is an unauthenticated SQL injection vulner... (How to Fix)

Q: What is the severity of CVE-2024-33551?

CVE-2024-33551 has a CVSS score of 9.3 (CRITICAL). This is an unauthenticated SQL injection vulnerability in the XStore Core WordPress plugin. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the database. All WordPress sites using XStore Core versions up to 5.3.5 are affected.

📋 TL;DR

This is an unauthenticated SQL injection vulnerability in the XStore Core WordPress plugin. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the database. All WordPress sites using XStore Core versions up to 5.3.5 are affected.

💻 Affected Systems

Products:

XStore Core WordPress plugin

Versions: All versions up to and including 5.3.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with XStore Core plugin active.

📦 What is this software?

Xstore Core by 8theme

View all CVEs affecting Xstore Core →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, or site takeover.

🟠

Likely Case

Database information disclosure, data manipulation, or administrative access to WordPress.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules block malicious requests.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and vulnerable to unauthenticated attacks.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be compromised via internal attackers or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection is well-understood with many automated tools available. Public exploit details exist on Patchstack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.6 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/et-core-plugin/wordpress-xstore-core-plugin-5-3-5-unauthenticated-sql-injection-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find XStore Core plugin
4. Click 'Update Now' if update available
5. Alternatively, download version 5.3.6+ from WordPress repository and manually update

🔧 Temporary Workarounds

Disable XStore Core plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate et-core-plugin

Web Application Firewall rules

all

Implement WAF rules to block SQL injection patterns targeting XStore Core endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate WordPress instance
Deploy database monitoring to detect SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > XStore Core version. If version is 5.3.5 or lower, you are vulnerable.

Check Version:

wp plugin get et-core-plugin --field=version

Verify Fix Applied:

Verify XStore Core plugin version is 5.3.6 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in WordPress logs
Multiple requests to XStore Core endpoints with SQL syntax

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) to /wp-content/plugins/et-core-plugin/ endpoints

SIEM Query:

source="wordpress.log" AND ("et-core-plugin" OR "XStore") AND ("SQL" OR "database" OR "syntax")

📊 Metadata

CVE ID: CVE-2024-33551

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

Published: April 29, 2024

Last Updated: February 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33551, you might also want to check these: