Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-13475

CVE-2024-13475: Small Package Quotes SQLi Vulnerability

CVE-2024-13475 is a SQL injection vulnerability in the Small Package Quotes WordPress plugin that allows unauthenticated attackers to extract sensitive database information. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-13475 Overview

CVE-2024-13475 is a SQL injection vulnerability in the Small Package Quotes – UPS Edition plugin for WordPress, developed by Eniture. The flaw affects all plugin versions up to and including 4.5.16. It resides in the handling of the edit_id parameter, which is concatenated into a SQL query without adequate escaping or prepared statement usage. Unauthenticated attackers can append arbitrary SQL clauses to the existing query and extract sensitive data from the WordPress database. The issue is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.

Critical Impact

Unauthenticated remote attackers can exfiltrate database contents, including user credentials, session tokens, and configuration secrets stored in the WordPress database.

Affected Products

  • Eniture Small Package Quotes – UPS Edition for WordPress, all versions through 4.5.16
  • WordPress sites running the plugin with WooCommerce shipping integration
  • Any deployment exposing plugin endpoints that reference the edit_id parameter

Discovery Timeline

  • 2025-02-12 - CVE-2024-13475 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-13475

Vulnerability Analysis

The vulnerability stems from unsafe SQL query construction inside the plugin's request handling logic. The edit_id parameter is taken from user-controlled input and inserted directly into a SQL statement. The plugin neither escapes the input with esc_sql() nor uses $wpdb->prepare() with placeholders. As a result, attackers can break out of the intended query context and append additional SQL statements. Because the vulnerable code path does not require authentication, exploitation only requires the ability to send HTTP requests to the WordPress site.

Root Cause

The root cause is insufficient input validation combined with unsanitized string concatenation in a SQL query. WordPress provides $wpdb->prepare() specifically to bind parameters safely, but the affected code path bypasses this API. Any attacker-controlled string in edit_id is treated as part of the SQL grammar rather than as a data value.

Attack Vector

An attacker sends a crafted HTTP request to the plugin endpoint that consumes edit_id. By supplying a value containing SQL metacharacters, the attacker can attach a UNION SELECT or time-based blind payload to the original query. Typical exploitation extracts data from the wp_users and wp_usermeta tables, including user_login, user_pass hashes, and session information. The attack requires no user interaction and no privileges, and it is delivered entirely over the network.

// Illustrative request pattern — do not use for unauthorized testing
GET /wp-admin/admin-ajax.php?action=<vulnerable_action>&edit_id=1' UNION SELECT user_login,user_pass FROM wp_users-- -

Detection Methods for CVE-2024-13475

Indicators of Compromise

  • HTTP requests containing SQL metacharacters (', --, UNION, SELECT, SLEEP() in the edit_id parameter
  • Unusual response latency on plugin endpoints, indicating time-based blind SQL injection attempts
  • Web server access logs showing repeated requests to plugin AJAX or admin endpoints from a single source IP
  • Unexpected read activity against wp_users, wp_usermeta, or wp_options in database audit logs

Detection Strategies

  • Deploy WAF rules that inspect the edit_id parameter for SQL syntax patterns and known injection payloads
  • Enable WordPress database query logging and alert on queries containing UNION SELECT originating from plugin code paths
  • Correlate access logs with authentication events to spot credential-stuffing or admin login attempts following suspicious plugin requests

Monitoring Recommendations

  • Monitor outbound traffic from the WordPress host for exfiltration patterns after suspicious plugin requests
  • Track file integrity for wp-config.php and plugin directories to detect post-exploitation persistence
  • Ingest WordPress and web server logs into a centralized SIEM and apply detection rules for SQL injection indicators

How to Mitigate CVE-2024-13475

Immediate Actions Required

  • Update the Small Package Quotes – UPS Edition plugin to a version newer than 4.5.16 that includes the fix committed in the WordPress plugin changeset 3237693
  • If a patched version is not yet available in your environment, disable and remove the plugin until it can be updated
  • Rotate WordPress administrator passwords and any secrets stored in wp-config.php if exploitation is suspected
  • Review database audit logs and web access logs for injection attempts against the edit_id parameter

Patch Information

Eniture released a fix through the WordPress plugin repository. The corrective change is documented in the WordPress plugin changeset 3237693 and detailed in the Wordfence Vulnerability Report. Administrators should update to the latest plugin version through the WordPress admin dashboard or via WP-CLI.

Workarounds

  • Deploy a web application firewall rule blocking SQL metacharacters in the edit_id query parameter
  • Restrict access to plugin admin and AJAX endpoints to trusted IP ranges using web server configuration
  • Apply least-privilege database credentials to the WordPress database user to limit the blast radius of successful injection
bash
# Update the plugin via WP-CLI to the latest patched release
wp plugin update small-package-quotes-ups-edition

# Verify the installed version is greater than 4.5.16
wp plugin get small-package-quotes-ups-edition --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.