CVE-2024-13596 in Survey & Poll Plugin
Summary
by MITRE • 01/30/2025
The WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'id' attribute of the 'survey' shortcode in all versions up to, and including, 1.7.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/30/2025
The vulnerability identified as CVE-2024-13596 affects the WordPress Survey & Poll plugin, specifically targeting versions up to and including 1.7.5. This security flaw exists within the plugin's handling of the 'survey' shortcode where the 'id' attribute is processed without proper input sanitization. The vulnerability represents a classic SQL injection weakness that can be exploited by authenticated attackers who possess Contributor-level privileges or higher within the WordPress environment.
The technical implementation of this vulnerability stems from insufficient escaping of user-supplied parameters within the plugin's database query construction process. When the 'id' parameter is passed through the survey shortcode, the plugin fails to properly prepare or sanitize this input before incorporating it into SQL queries. This inadequate input validation creates a pathway for malicious actors to inject additional SQL commands into existing database operations. The vulnerability is categorized under CWE-89 which specifically addresses SQL injection flaws where untrusted data is incorporated into SQL commands without proper escaping or parameterization.
Attackers with Contributor-level access or higher can leverage this vulnerability to execute unauthorized database queries against the WordPress installation. The impact extends beyond simple data extraction to potentially allow for data manipulation, privilege escalation, and further exploitation of the compromised system. The authenticated nature of the attack means that an attacker must already have access to a valid user account with appropriate permissions, but this access level is often achievable through various means including credential theft or social engineering attacks. The vulnerability's exploitation allows for extraction of sensitive information from the database including user credentials, configuration details, and potentially other confidential data stored within the WordPress environment.
The operational impact of this vulnerability is significant for WordPress administrators and security teams who must address the risk of unauthorized data access. Organizations using the affected plugin versions face potential exposure to data breaches, unauthorized system modifications, and possible escalation to full system compromise. The vulnerability affects not only the immediate plugin functionality but also the broader security posture of WordPress installations that rely on this component. Mitigation strategies should include immediate patching to version 1.7.6 or later, which addresses the SQL injection vulnerability through proper input sanitization and parameterized query construction. Additionally, implementing network-level restrictions, monitoring for unusual database activity, and enforcing the principle of least privilege for user accounts can help reduce the attack surface and limit potential damage from exploitation attempts. The vulnerability demonstrates the importance of proper input validation and parameterization in database operations, aligning with ATT&CK technique T1071.004 for application layer protocol manipulation and T1566 for credential access through social engineering that could lead to privilege escalation.