WordPress Plug-in Vulnerability Let Hackers Inject Malicious SQL Queries
A critical vulnerability in GamiPress, a popular WordPress plugin used for gamification and rewards systems on websites.
The high-impact flaw, categorized as CVE-2024-13496 with a CVSS 3.1 score of 7.5, allowed unauthenticated attackers to inject malicious SQL queries that could potentially compromise entire WordPress installations.
The vulnerability, which affected all GamiPress versions up to 7.3.1, was finally patched in version 7.3.2, released on March 18, 2025.
GamiPress Plugin: Unauthenticated SQL Injection Flaw
During an offsite security assessment, security researcher Abrahack identified the vulnerability while examining GamiPress plugin version 7.2.1.
The vulnerability stemmed from improper input validation in the plugin’s log retrieval functionality, specifically in the gamipress_get_logs AJAX endpoint, which allows unauthenticated access through the WordPress hook wp_ajax_nopriv_{$action}.
This type of SQL injection vulnerability is hazardous because it requires no authentication to exploit. An attacker could potentially extract sensitive information from the database or even take control of the website.
The plugin’s vulnerability existed in handling the orderby parameter in database queries. The vulnerable code in the plugin can be seen here:
While the code attempted to sanitize inputs using sanitize_text_field(), the vulnerability occurred further down the execution chain in the CT_Query class, where the orderby parameter was unsafely incorporated into SQL queries:
This code eventually led to the construction of an SQL query where the attacker-controlled input was incorporated:
The summary of the vulnerability is given below:
| Risk Factors | Details |
| Affected Products | GamiPress WordPress plugin, versions ≤ 7.2.1 |
| Impact | SQL injection, Extracting sensitive information from the database |
| Exploit Prerequisites | No authentication required; ability to send HTTP requests with manipulated ‘orderby’ parameter |
| CVSS 3.1 Score | 7.5 (High) |
Patch Implementation
The developers of GamiPress addressed the vulnerability by implementing a whitelist approach for the orderby parameter, restricting it to a predefined list of valid columns in the database table.
This approach effectively prevents attackers from injecting malicious SQL commands. Cybersecurity experts strongly urge WordPress website administrators using the GamiPress plugin to update to version 7.3.2 or later immediately. Additionally, administrators should:
- Review server logs for any unusual activity
- Implement web application firewalls for additional protection
- Follow security best practices for WordPress installations
This vulnerability reminds us of the importance of regular security audits and prompt patching of content management systems and their extensions to maintain website security integrity.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post WordPress Plug-in Vulnerability Let Hackers Inject Malicious SQL Queries appeared first on Cyber Security News.
>>More