CVE-2024-13491 in Small Package Quotes Plugininfo

Summary

by MITRE • 02/19/2025

The Small Package Quotes – For Customers of FedEx plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 4.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/19/2025

The vulnerability identified as CVE-2024-13491 affects the Small Package Quotes plugin for WordPress, specifically targeting versions up to and including 4.3.1. This plugin serves customers of FedEx by providing shipping quote functionality within WordPress environments. The security flaw stems from inadequate input validation and sanitization practices within the plugin's codebase, creating a critical entry point for malicious actors seeking to exploit the system's database layer. The vulnerability manifests through two distinct parameters named 'edit_id' and 'dropship_edit_id' which are processed without proper escaping mechanisms, allowing attackers to inject malicious SQL commands directly into the database query execution flow.

The technical implementation of this SQL injection vulnerability occurs when user-supplied parameters are directly incorporated into SQL queries without appropriate preparation or sanitization. This flaw aligns with CWE-89 which categorizes SQL injection as a dangerous input handling vulnerability where untrusted data is embedded into database queries without proper escaping or parameterization. The absence of sufficient query preparation means that attackers can manipulate the existing SQL structure by appending additional commands to the original query, effectively bypassing normal authentication and authorization controls. This type of vulnerability is particularly dangerous because it allows unauthenticated attackers to execute arbitrary SQL commands against the WordPress database, potentially leading to complete system compromise.

The operational impact of this vulnerability extends beyond simple data extraction, as it provides attackers with the capability to perform a wide range of malicious activities within the compromised WordPress environment. Successful exploitation could enable attackers to read sensitive information including user credentials, customer data, and administrative access details stored within the database. The vulnerability's unauthenticated nature means that attackers do not require valid user credentials to initiate the attack, making it particularly dangerous for publicly accessible WordPress installations. Additionally, the attack could potentially be used to escalate privileges, modify database content, or even install malicious code within the WordPress environment, as demonstrated by ATT&CK technique T1078 which covers legitimate credentials use for persistence and privilege escalation.

Organizations affected by this vulnerability should immediately implement mitigations including upgrading to the latest plugin version where the SQL injection flaw has been addressed. The recommended approach involves thorough input validation and parameterization of all database queries, ensuring that user-supplied parameters are properly escaped or bound to prevent malicious SQL command injection. Security measures should also include implementing web application firewalls to detect and block suspicious SQL injection patterns, conducting regular security audits of third-party plugins, and maintaining comprehensive backup procedures to enable rapid recovery in case of successful exploitation. Database access controls should be reviewed to ensure that application accounts have minimal required privileges, and monitoring systems should be enhanced to detect unusual database query patterns that may indicate exploitation attempts.

Responsible

Wordfence

Reservation

01/16/2025

Disclosure

02/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00436

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!