CVE-2024-6353
📋 TL;DR
This SQL injection vulnerability in the Wallet for WooCommerce WordPress plugin allows authenticated attackers with Subscriber-level access or higher to inject malicious SQL queries via the 'search[value]' parameter. Attackers can extract sensitive information from the database, including user credentials, payment details, and other confidential data. All WordPress sites using this plugin up to version 1.5.4 are affected.
💻 Affected Systems
- Wallet for WooCommerce WordPress plugin
📦 What is this software?
Terawallet by Standalonetech
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to theft of all user data, financial information, administrative credentials, and potential site takeover.
Likely Case
Extraction of sensitive user information including emails, addresses, and potentially hashed passwords, leading to credential theft and privacy violations.
If Mitigated
Limited data exposure if proper input validation and parameterized queries are implemented, restricting attackers to read-only operations on specific tables.
🎯 Exploit Status
SQL injection via search parameter is well-understood and easily weaponized. Requires authenticated access but Subscriber is the lowest WordPress user role.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.5
Vendor Advisory: https://wordpress.org/plugins/woo-wallet/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Wallet for WooCommerce'. 4. Click 'Update Now' if available. 5. If not, download version 1.5.5+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate woo-wallet
WAF Rule Implementation
allAdd web application firewall rules to block SQL injection patterns in search parameters
# Configure WAF to block SQL patterns in 'search[value]' parameter
🧯 If You Can't Patch
- Restrict user registration and limit Subscriber role assignments
- Implement additional database monitoring and alerting for unusual SQL queries
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Wallet for WooCommerce' version ≤1.5.4Check Version:
wp plugin get woo-wallet --field=versionVerify Fix Applied:
Verify plugin version is 1.5.5 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by successful Subscriber login
- Requests with suspicious 'search[value]' parameters containing SQL keywords
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with SQL injection patterns in parameters
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (param="search[value]" AND value MATCHES "(?i)(union|select|from|where|or|and|--|#|;)")🔗 References
- https://plugins.trac.wordpress.org/browser/woo-wallet/trunk/includes/class-woo-wallet-ajax.php#L393
- https://plugins.trac.wordpress.org/changeset/3116025/
- https://wordpress.org/plugins/woo-wallet/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f7d5a077-8836-4c28-8884-5047585a99e5?source=cve
- https://plugins.trac.wordpress.org/browser/woo-wallet/trunk/includes/class-woo-wallet-ajax.php#L393
- https://plugins.trac.wordpress.org/changeset/3116025/
- https://wordpress.org/plugins/woo-wallet/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f7d5a077-8836-4c28-8884-5047585a99e5?source=cve
