CVE-2024-6924
📋 TL;DR
This SQL injection vulnerability in the TrueBooker WordPress plugin allows unauthenticated attackers to execute arbitrary SQL commands via AJAX requests. It affects WordPress sites running TrueBooker versions before 1.0.3, potentially compromising the entire database.
💻 Affected Systems
- TrueBooker WordPress Plugin
📦 What is this software?
Truebooker by Themetechmount
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive data theft, privilege escalation, and full site takeover via SQL injection leading to remote code execution.
Likely Case
Data exfiltration, database manipulation, and potential administrative access to the WordPress site.
If Mitigated
Limited impact with proper input validation, parameterized queries, and web application firewall rules blocking SQL injection patterns.
🎯 Exploit Status
Simple SQL injection via AJAX endpoint with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.3
Vendor Advisory: https://wpscan.com/vulnerability/39e79801-6ec7-4579-bc6b-fd7e899733a8/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find TrueBooker plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.0.3+ from WordPress repository.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the vulnerable AJAX action via .htaccess or web server configuration
# Add to .htaccess:
RewriteCond %{QUERY_STRING} action=truebooker_ajax [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
Web Application Firewall rule
allAdd SQL injection detection rule for TrueBooker AJAX requests
# Example ModSecurity rule:
SecRule ARGS:action "@streq truebooker_ajax" \
"id:1001,phase:2,deny,status:403,msg:'Block TrueBooker SQLi attempt'"
SecRule ARGS "@detectSQLi" \
"id:1002,phase:2,deny,status:403,msg:'SQL injection attempt detected'"
🧯 If You Can't Patch
- Disable the TrueBooker plugin completely until patched
- Implement strict network access controls to limit AJAX endpoint exposure
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → TrueBooker version. If version is below 1.0.3, site is vulnerable.Check Version:
wp plugin list --name=truebooker --field=versionVerify Fix Applied:
Confirm TrueBooker plugin version is 1.0.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- Multiple POST requests to /wp-admin/admin-ajax.php with 'action=truebooker_ajax' parameter
- SQL syntax in HTTP parameters
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php containing SQL keywords (SELECT, UNION, etc.) in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND (query_string="*action=truebooker_ajax*" OR query_string="*SELECT*" OR query_string="*UNION*" OR query_string="*FROM*" OR query_string="*WHERE*")