CVE-2024-6027
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform time-based SQL injection attacks on WordPress sites using the Themify WooCommerce Product Filter plugin. Attackers can extract sensitive database information by manipulating the 'conditions' parameter. All WordPress sites with vulnerable plugin versions are affected.
💻 Affected Systems
- Themify - WooCommerce Product Filter WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, payment information, personal data, and potential privilege escalation to full site takeover.
Likely Case
Extraction of sensitive user data, admin credentials, and WooCommerce order information leading to data breach and potential financial fraud.
If Mitigated
Limited information disclosure if database permissions are properly restricted and security controls are in place.
🎯 Exploit Status
Time-based SQL injection requires no authentication and can be automated. Public exploit code may emerge given the high CVSS score.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://themify.org/changelogs/themify-wc-product-filter.txt
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Themify - WooCommerce Product Filter'. 4. Click 'Update Now' if available. 5. If not available, download version 1.5.0+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Themify WooCommerce Product Filter plugin until patched
wp plugin deactivate themify-wc-product-filter
Web Application Firewall rule
allBlock requests containing SQL injection patterns targeting the 'conditions' parameter
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-supplied parameters
- Deploy a web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Themify - WooCommerce Product Filter → Version. If version is 1.4.9 or lower, you are vulnerable.Check Version:
wp plugin get themify-wc-product-filter --field=versionVerify Fix Applied:
Verify plugin version is 1.5.0 or higher in WordPress admin panel. Check that the 'conditions' parameter is properly sanitized in requests.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests with 'conditions' parameter containing SQL syntax
- Slow response times from product filter endpoints
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with SQL keywords in parameters
- Repeated requests with SLEEP() or BENCHMARK() functions in parameters
SIEM Query:
source="web_logs" AND (uri="*admin-ajax.php*" AND params="*conditions=*" AND (params="*SLEEP(*" OR params="*BENCHMARK(*" OR params="*UNION*" OR params="*SELECT*"))🔗 References
- https://plugins.trac.wordpress.org/browser/themify-wc-product-filter/trunk/public/class-wpf-public.php#L604
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3104239%40themify-wc-product-filter%2Ftrunk&old=3100861%40themify-wc-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2
- https://themify.org/changelogs/themify-wc-product-filter.txt
- https://www.wordfence.com/threat-intel/vulnerabilities/id/451db756-9d62-4c8e-b735-e5e5207b81e3?source=cve
- https://plugins.trac.wordpress.org/browser/themify-wc-product-filter/trunk/public/class-wpf-public.php#L604
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3104239%40themify-wc-product-filter%2Ftrunk&old=3100861%40themify-wc-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2
- https://themify.org/changelogs/themify-wc-product-filter.txt
- https://www.wordfence.com/threat-intel/vulnerabilities/id/451db756-9d62-4c8e-b735-e5e5207b81e3?source=cve
