CVE-2024-6159
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites using the Push Notification for Post and BuddyPress plugin before version 1.9.4. Attackers can potentially read, modify, or delete database content, including sensitive user data. All WordPress installations with the vulnerable plugin version are affected.
💻 Affected Systems
- Push Notification for Post and BuddyPress WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, remote code execution via database functions, and full site takeover.
Likely Case
Data exfiltration of user information, plugin/theme manipulation, and potential administrative access through credential theft.
If Mitigated
Limited impact with proper input validation, database user restrictions, and web application firewall rules blocking SQL injection patterns.
🎯 Exploit Status
Exploitation requires minimal technical skill due to public proof-of-concept and unauthenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.4
Vendor Advisory: https://wpscan.com/vulnerability/de20ebda-b0bc-489e-a8d3-e9487a2b48e8/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Push Notification for Post and BuddyPress'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.9.4+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable AJAX action that processes the unsanitized parameter.
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_nopriv_vulnerable_action', 'vulnerable_callback'); remove_action('wp_ajax_vulnerable_action', 'vulnerable_callback');
Web Application Firewall rule
linuxBlock SQL injection patterns targeting the vulnerable plugin endpoint.
ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt on push notification plugin'"
🧯 If You Can't Patch
- Disable or remove the Push Notification for Post and BuddyPress plugin entirely.
- Implement network-level restrictions to block external access to /wp-admin/admin-ajax.php endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Push Notification for Post and BuddyPress' version number. If version is below 1.9.4, system is vulnerable.Check Version:
wp plugin list --name='Push Notification for Post and BuddyPress' --field=versionVerify Fix Applied:
Confirm plugin version shows 1.9.4 or higher in WordPress admin panel. Test vulnerable endpoint with safe payload to ensure SQL injection is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug.log
- Multiple POST requests to /wp-admin/admin-ajax.php with SQL keywords in parameters
- Unexpected database queries from web server process
Network Indicators:
- HTTP POST requests containing SQL injection patterns (UNION, SELECT, etc.) to WordPress AJAX endpoints
- Abnormal traffic spikes to admin-ajax.php
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "OR 1=1")