CVE-2024-6265
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform time-based SQL injection attacks on WordPress sites using the UsersWP plugin. Attackers can extract sensitive database information by manipulating the 'uwp_sort_by' parameter. All WordPress sites running UsersWP version 1.2.10 or earlier are affected.
💻 Affected Systems
- UsersWP - Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
📦 What is this software?
Userswp by Ayecode
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, personal data, and administrative access leading to site takeover.
Likely Case
Extraction of sensitive user data (emails, hashed passwords, personal information) and potential privilege escalation.
If Mitigated
Limited information disclosure if database permissions are properly restricted and WAF blocks injection attempts.
🎯 Exploit Status
Time-based SQL injection requires no authentication and can be automated with readily available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.11 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3106884/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find UsersWP plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.2.11+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable UsersWP Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate userswp
WAF Rule Implementation
allAdd web application firewall rules to block SQL injection attempts on uwp_sort_by parameter.
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries at application level
- Deploy web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → UsersWP version number. If version is 1.2.10 or earlier, you are vulnerable.Check Version:
wp plugin get userswp --field=versionVerify Fix Applied:
Verify UsersWP plugin version is 1.2.11 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries containing uwp_sort_by parameter
- Multiple failed SQL injection attempts in web server logs
- Long response times from specific endpoints (time-based injection indicator)
Network Indicators:
- HTTP requests with SQL injection payloads in uwp_sort_by parameter
- Repeated requests to UsersWP endpoints with varying parameters
SIEM Query:
source="web_server_logs" AND (uwp_sort_by AND (SELECT OR SLEEP OR UNION OR --))🔗 References
- https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.10/admin/settings/class-uwp-settings-user-sorting.php#L45
- https://plugins.trac.wordpress.org/changeset/3106884/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/37fd0582-5baf-4ced-a798-dc0970e90a3e?source=cve
- https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.10/admin/settings/class-uwp-settings-user-sorting.php#L45
- https://plugins.trac.wordpress.org/changeset/3106884/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/37fd0582-5baf-4ced-a798-dc0970e90a3e?source=cve
