CVE-2024-0610 in WooCommerce Payment Gateway
Summary
by MITRE • 02/17/2024
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified in CVE-2024-0610 affects the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress, representing a critical time-based blind SQL injection flaw that has been present in all versions up to and including 1.6.5.1. This vulnerability stems from inadequate input sanitization and improper SQL query preparation mechanisms within the plugin's codebase. The specific parameter 'MerchantReference' serves as the attack vector, where unauthenticated malicious actors can manipulate the input to inject additional SQL commands into existing database queries. This flaw operates under the principle of time-based blind SQL injection, where attackers can infer database contents through response timing variations rather than direct data extraction, making detection more challenging. The vulnerability classification aligns with CWE-89, which specifically addresses SQL injection flaws where insufficient escaping of user-supplied data allows attackers to manipulate database queries through crafted input.
The technical implementation of this vulnerability occurs when the plugin processes payment requests containing the MerchantReference parameter without proper sanitization or parameterization. The plugin fails to implement proper input validation or escaping mechanisms, allowing attackers to append malicious SQL fragments to the existing query structure. When the application executes these modified queries, the database responds with timing variations that correspond to the success or failure of the injected SQL commands. This enables attackers to systematically extract database information through a process of trial and error, where each successful inference of data results in a measurable delay in response time. The lack of prepared statement usage or proper parameter binding leaves the system completely exposed to such manipulations, as the database engine processes the concatenated SQL fragments as legitimate commands rather than isolated input parameters.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with a pathway to compromise the entire WordPress installation and underlying database infrastructure. Unauthenticated attackers can leverage this vulnerability to extract sensitive information including customer payment details, user credentials, and potentially administrative access credentials stored within the database. The time-based nature of the attack means that extraction processes require more time but are still feasible, making this vulnerability particularly dangerous in environments where database responses are not closely monitored for unusual timing patterns. The attack can be automated using various tools designed for blind SQL injection, allowing for systematic data harvesting without requiring real-time interaction with the target system. This vulnerability directly impacts the confidentiality and integrity of the payment processing system, potentially leading to financial fraud and regulatory compliance violations that could result in significant financial and reputational damage to both the organization and its customers.
Mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that properly implement input sanitization and parameterized queries. Organizations should also implement network-level monitoring to detect unusual timing patterns that might indicate SQL injection attempts, utilizing intrusion detection systems that can identify potential blind SQL injection activities. The implementation of proper parameterized queries and input validation mechanisms should be enforced across all database interactions, ensuring that user-supplied data cannot be interpreted as executable SQL commands. Additionally, organizations should consider implementing web application firewalls that can detect and block known SQL injection attack patterns, while also establishing comprehensive logging and monitoring procedures to track database access patterns and identify potential exploitation attempts. Security hardening measures including limiting database user privileges and implementing proper access controls should be implemented to minimize the potential impact of successful exploitation attempts, as outlined in the attack patterns documented under the MITRE ATT&CK framework for SQL injection techniques.