CVE-2024-13533 Overview
CVE-2024-13533 is a SQL Injection vulnerability in the Small Package Quotes – USPS Edition plugin for WordPress. The flaw affects all versions up to and including 1.3.5. It exists in the edit_id parameter handled by the plugin's shipping rules functionality. Insufficient escaping of user-supplied input, combined with a lack of proper query preparation, allows unauthenticated attackers to append additional SQL statements to existing queries. Successful exploitation exposes sensitive database contents to remote attackers over the network without authentication or user interaction.
Critical Impact
Unauthenticated remote attackers can extract sensitive information from the WordPress database, including user credentials and site configuration data, by injecting SQL payloads through the edit_id parameter.
Affected Products
- Eniture Small Package Quotes – USPS Edition for WordPress (all versions ≤ 1.3.5)
- WordPress installations with the plugin activated
- E-commerce sites relying on the plugin for USPS shipping quotes
Discovery Timeline
- 2025-02-19 - CVE-2024-13533 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-13533
Vulnerability Analysis
The vulnerability is a classic SQL Injection flaw [CWE-89] within the plugin's shipping rules save handler. The affected code path is located in admin/tab/shipping-rules/shipping-rules-save.php at line 77. The edit_id parameter, supplied through an HTTP request, is concatenated directly into a SQL statement without parameterized queries or proper escaping. As a result, an attacker can break out of the intended query context and inject arbitrary SQL clauses.
Because the endpoint is reachable without authentication, exploitation requires only network access to the target WordPress site. The impact focuses on confidentiality, enabling attackers to exfiltrate database contents such as wp_users records, password hashes, and secret keys through UNION-based or time-based blind SQL injection techniques.
Root Cause
The root cause is the absence of prepared statements when building the SQL query that processes the edit_id value. WordPress provides $wpdb->prepare() for safe parameter binding, but the vulnerable code passes user input directly into the query string. Insufficient input sanitization compounds the issue.
Attack Vector
An attacker sends a crafted HTTP request to the plugin's shipping rules endpoint with a malicious edit_id value. The payload appends SQL syntax such as UNION SELECT clauses to leak data from arbitrary tables. No authentication, privileges, or user interaction are required, making automated mass exploitation feasible.
Refer to the WordPress Shipping Rules File and the Wordfence Vulnerability Report for detailed technical context.
Detection Methods for CVE-2024-13533
Indicators of Compromise
- HTTP requests to plugin endpoints containing the edit_id parameter with SQL metacharacters such as single quotes, UNION, SELECT, SLEEP(, or comment sequences (--, #).
- Unexpected outbound database queries or spikes in query execution time originating from the wp-admin shipping rules handler.
- Web server access logs showing unauthenticated requests to shipping-rules-save.php from external IP addresses.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect and block SQL injection patterns targeting the edit_id query parameter.
- Enable MySQL general query logging temporarily to identify malformed or suspicious queries generated by the plugin.
- Correlate WordPress access logs with database error logs to surface injection attempts that trigger syntax errors.
Monitoring Recommendations
- Monitor for anomalous request volumes to the plugin's admin endpoints from unauthenticated sources.
- Alert on repeated 500 responses or database error messages exposed in HTTP responses from WordPress.
- Track changes to WordPress user tables and administrative accounts for signs of post-exploitation activity.
How to Mitigate CVE-2024-13533
Immediate Actions Required
- Update the Small Package Quotes – USPS Edition plugin to a version newer than 1.3.5 as soon as the vendor releases a fixed release.
- Restrict access to WordPress administrative endpoints using IP allow-lists or authentication proxies where feasible.
- Audit the wp_users table and rotate WordPress administrator credentials and secret keys if exploitation is suspected.
Patch Information
The vendor addressed the issue in the plugin repository via a code change tracked in the WordPress Plugin Changeset. Site administrators should upgrade through the WordPress plugin manager and verify the installed version is above 1.3.5.
Workarounds
- Deactivate and remove the plugin until an updated, patched version is installed.
- Deploy WAF signatures that block SQL injection payloads on requests carrying the edit_id parameter.
- Enforce least-privilege database credentials for the WordPress database user to limit the scope of extractable data.
# Example WAF rule concept (ModSecurity) blocking SQLi on edit_id
SecRule ARGS:edit_id "@rx (?i)(union(\s|/\*.*\*/)+select|sleep\(|benchmark\(|--|#|';)" \
"id:1013533,phase:2,deny,status:403,log,msg:'CVE-2024-13533 SQLi attempt on edit_id'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

