CVE-2024-12428 Overview
CVE-2024-12428 is a SQL Injection vulnerability [CWE-89] affecting the WP Data Access – App, Table, Form and Chart Builder plugin for WordPress. The flaw exists in all versions up to and including 5.5.22. The vulnerability stems from insufficient escaping on the order[user_login][dir] parameter combined with inadequate preparation of the underlying SQL query. Unauthenticated attackers can append additional SQL queries to existing database operations, enabling extraction of sensitive data from the WordPress database.
Critical Impact
Unauthenticated attackers can exfiltrate sensitive data, including credentials and personally identifiable information, from any WordPress site running a vulnerable version of the plugin.
Affected Products
- WP Data Access – App, Table, Form and Chart Builder plugin for WordPress
- All versions up to and including 5.5.22
- Fixed in version 5.5.23
Discovery Timeline
- 2024-12-25 - CVE-2024-12428 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-12428
Vulnerability Analysis
The vulnerability resides in the data table sorting functionality of the WP Data Access plugin. The plugin accepts an order[user_login][dir] parameter from HTTP requests and uses its value to construct the ORDER BY clause of a SQL statement. The implementation fails to escape user input and does not use parameterized queries.
Attackers can inject arbitrary SQL fragments into the query through this parameter. Because the injection point sits inside an ORDER BY clause, classic prepared-statement placeholders cannot be applied without explicit allow-listing of sort directions. The plugin lacks such validation in vulnerable releases.
The vulnerability does not require authentication, expanding the pool of potential attackers to anyone able to reach the affected endpoint. Exploitation can yield database contents including WordPress user records, password hashes, session tokens, and post metadata.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The fix in version 5.5.23 modifies WPDataAccess/Data_Tables/WPDA_Data_Tables.php to validate the sort direction value against an allow list rather than passing it directly into the query string. See the WordPress Plugin Change Log for the exact code changes.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker crafts an HTTP request to a plugin endpoint that processes the order[user_login][dir] parameter and includes injected SQL syntax such as a UNION-based payload. The injected SQL executes within the database context of the WordPress application, returning results in the HTTP response or via time-based inference.
The vulnerability is exploitable in prose terms only since no verified public exploit code has been confirmed. Refer to the Wordfence Vulnerability Report for additional context. The EPSS probability is 0.664%.
Detection Methods for CVE-2024-12428
Indicators of Compromise
- HTTP requests containing the parameter order[user_login][dir] with values other than asc or desc
- Request payloads containing SQL keywords such as UNION, SELECT, SLEEP, BENCHMARK, or comment sequences -- and /* within the dir parameter
- Anomalous database query latency or unusually large response bodies from WordPress admin-ajax or plugin endpoints
- Unexpected reads against the wp_users or wp_usermeta tables in MySQL general or slow query logs
Detection Strategies
- Inspect web server access logs for the order[user_login][dir] parameter and flag values that are not strict alphabetic sort directions
- Deploy Web Application Firewall (WAF) rules matching SQL Injection signatures on WordPress query string and POST body parameters
- Enable MySQL query logging and alert on ORDER BY clauses containing subqueries, UNION operators, or function calls
Monitoring Recommendations
- Monitor the installed version of the WP Data Access plugin across all WordPress instances and alert on versions at or below 5.5.22
- Correlate authentication failures and password reset events with prior anomalous requests to plugin endpoints
- Track outbound database query volume per WordPress site to identify bulk data extraction patterns
How to Mitigate CVE-2024-12428
Immediate Actions Required
- Update the WP Data Access plugin to version 5.5.23 or later on every affected WordPress site
- Audit WordPress user accounts and rotate credentials if exploitation indicators are present
- Review database access logs for unauthorized SELECT activity since the plugin was installed
Patch Information
The vendor released a fix in WP Data Access version 5.5.23. The patch enforces validation of the sort direction parameter in WPDataAccess/Data_Tables/WPDA_Data_Tables.php. Administrators should update through the WordPress plugin manager or by replacing plugin files with the fixed release. See the WordPress Plugin Change Log for change details.
Workarounds
- Deactivate the WP Data Access plugin until the patched version can be installed
- Apply a WAF rule that rejects requests containing SQL metacharacters in the order[user_login][dir] parameter
- Restrict the database user account used by WordPress to the minimum privileges required, removing access to tables not used by the application
# Example ModSecurity rule to block SQL metacharacters in the vulnerable parameter
SecRule ARGS:'order[user_login][dir]' "@rx (?i)(union|select|sleep|benchmark|--|/\*|;)" \
"id:1004284,phase:2,deny,status:403,msg:'CVE-2024-12428 WP Data Access SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
