CVE-2024-3552
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites using the Web Directory Free plugin. Attackers can extract, modify, or delete database content, potentially compromising the entire site. All WordPress installations with vulnerable plugin versions are affected.
💻 Affected Systems
- Web Directory Free WordPress Plugin
📦 What is this software?
Web Directory Free by Salephpscripts
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, site defacement, administrative account takeover, and potential server compromise via file write capabilities.
Likely Case
Data exfiltration from WordPress database including user credentials, sensitive content, and plugin data, followed by site defacement or malware injection.
If Mitigated
Limited impact if proper WAF rules block SQL injection patterns and database user has minimal privileges.
🎯 Exploit Status
SQL injection via AJAX endpoint available to unauthenticated users with multiple exploitation techniques documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://wpscan.com/vulnerability/34b03ee4-de81-4fec-9f3d-e1bd5b94d136/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Web Directory Free' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.7.0+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
linuxBlock access to the vulnerable AJAX action via .htaccess or web server configuration
# Add to .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=webdirectoryfree_ajax [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
</IfModule>
Web Application Firewall rule
allDeploy WAF rule to block SQL injection patterns targeting the vulnerable parameter
# Example ModSecurity rule:
SecRule ARGS_GET:param "@detectSQLi" \
"id:1001,phase:2,deny,status:403,msg:'SQLi attempt in Web Directory Free plugin'"
🧯 If You Can't Patch
- Disable or remove the Web Directory Free plugin entirely
- Implement network-level blocking of requests containing SQL injection patterns to /wp-admin/admin-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Web Directory Free → Version number. If version is below 1.7.0, system is vulnerable.Check Version:
wp plugin list --name='web-directory-free' --field=versionVerify Fix Applied:
Confirm plugin version is 1.7.0 or higher in WordPress admin panel and test AJAX endpoint with SQL injection payloads (in safe environment).📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with SQL keywords (UNION, SELECT, INSERT, etc.) in parameters
- Database error messages in logs containing plugin-related table names
Network Indicators:
- Unusual database query patterns from web server to database
- Large data exfiltration from database port
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (param="webdirectoryfree_ajax" OR param="webdirectoryfree") AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "INSERT")