CVE-2024-12416 Overview
CVE-2024-12416 is a SQL injection vulnerability in the Live Sales Notification for WooCommerce – Woomotiv plugin for WordPress. The flaw affects all versions up to and including 3.6.1. The plugin fails to escape user-supplied input from the woomotiv_seen_products_.* cookie and does not properly prepare the SQL query that consumes it. Unauthenticated attackers can append additional SQL statements to existing queries and extract sensitive data from the WordPress database. The issue is tracked under CWE-89.
Critical Impact
Unauthenticated attackers can extract sensitive database contents — including user credentials, order data, and personally identifiable information — by manipulating a controllable cookie value.
Affected Products
- Live Sales Notification for WooCommerce – Woomotiv plugin for WordPress
- All versions up to and including 3.6.1
- WordPress sites running WooCommerce with the Woomotiv plugin installed
Discovery Timeline
- 2025-01-07 - CVE-2024-12416 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-12416
Vulnerability Analysis
The Woomotiv plugin tracks products viewed by site visitors using cookies named with the prefix woomotiv_seen_products_. The plugin reads these cookie values and incorporates them into a SQL query without sufficient escaping and without using prepared statements with bound parameters. Because cookies are client-controlled, an unauthenticated attacker can set a crafted cookie value that breaks out of the intended query context. The injected SQL executes against the WordPress database with the privileges of the plugin's database user.
The vulnerability is exploitable over the network without authentication or user interaction. Successful exploitation results in confidentiality loss, including extraction of WordPress user records, password hashes from wp_users, session tokens from wp_usermeta, and WooCommerce order data. The flaw does not directly modify data or impact availability, but stolen credentials enable follow-on account takeover.
Root Cause
The root cause is failure to sanitize the woomotiv_seen_products_.* cookie input and absence of parameterized queries. The plugin concatenates the cookie value directly into the SQL string rather than using $wpdb->prepare() with placeholders. This is a textbook CWE-89 instance where user-controlled data flows into a SQL sink without validation.
Attack Vector
An attacker sends an HTTP request to a vulnerable WordPress site with a crafted Cookie header matching the woomotiv_seen_products_* pattern. The cookie value contains SQL syntax that terminates the original query clause and appends a UNION SELECT or similar statement. The plugin processes the cookie during normal page load, executes the malicious query, and returns or exposes data in observable behavior such as response timing, error output, or rendered content. See the Wordfence Vulnerability Report and the WordPress Changeset Update for additional technical context.
Detection Methods for CVE-2024-12416
Indicators of Compromise
- HTTP requests containing Cookie headers with woomotiv_seen_products_ prefix and SQL metacharacters such as ', --, UNION, SELECT, or SLEEP(.
- Unexpected database errors or slow query log entries originating from Woomotiv plugin code paths.
- Outbound traffic or unusual reads against wp_users, wp_usermeta, or WooCommerce order tables shortly after anonymous visitor traffic.
Detection Strategies
- Inspect web server access logs for cookie values matching the Woomotiv prefix that contain URL-encoded SQL syntax (%27, %20UNION%20, %20SELECT%20).
- Deploy web application firewall rules that flag SQL keywords inside cookie headers, particularly those scoped to plugin-specific cookie names.
- Correlate anonymous HTTP traffic with subsequent failed logins or credential-stuffing patterns that may indicate post-exploitation use of extracted hashes.
Monitoring Recommendations
- Enable the MySQL general query log or slow query log on staging instances to baseline legitimate Woomotiv queries and identify deviations.
- Monitor WordPress plugin version inventory and alert when Woomotiv 3.6.1 or earlier is present.
- Track EPSS movement for CVE-2024-12416, currently at 0.708% (72.5 percentile), as a signal of changing exploitation likelihood.
How to Mitigate CVE-2024-12416
Immediate Actions Required
- Update the Live Sales Notification for WooCommerce – Woomotiv plugin to a version later than 3.6.1 immediately.
- Audit WordPress user accounts and force password resets if any indicator of compromise is identified.
- Review WooCommerce order and customer tables for evidence of unauthorized read access.
Patch Information
The vendor addressed the issue in the changeset published at the WordPress Plugin Repository. Site administrators should update to the latest available release through the WordPress admin dashboard under Plugins → Installed Plugins, or via WP-CLI with wp plugin update woomotiv.
Workarounds
- Deactivate and remove the Woomotiv plugin if an updated version cannot be installed promptly.
- Add a web application firewall rule to drop or sanitize requests containing SQL metacharacters in cookies matching woomotiv_seen_products_*.
- Restrict the database user assigned to WordPress to read-only access on non-essential tables where business logic permits.
# Update Woomotiv plugin via WP-CLI
wp plugin update woomotiv
# Verify installed version is greater than 3.6.1
wp plugin get woomotiv --field=version
# If patching is not possible, deactivate the plugin
wp plugin deactivate woomotiv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
