CVE-2024-43132 Overview
CVE-2024-43132 is an unauthenticated SQL injection vulnerability in the WPWeb Elite Docket plugin for WordPress, marketed as WooCommerce Collections / Wishlist / Watchlist. The flaw stems from improper neutralization of special elements used in SQL commands [CWE-89]. All plugin versions before 1.7.0 are affected. Attackers can send crafted requests over the network without authentication or user interaction to inject arbitrary SQL into backend database queries. Successful exploitation enables data exfiltration, database modification, and authentication bypass on affected WooCommerce stores. The vulnerability was published to the National Vulnerability Database (NVD) on August 29, 2024.
Critical Impact
Unauthenticated attackers can execute arbitrary SQL queries against the WordPress database, exposing customer records, order data, and administrator credentials.
Affected Products
- WPWeb Elite Docket (WooCommerce Collections / Wishlist / Watchlist) plugin for WordPress
- All versions prior to 1.7.0
- WordPress sites running WooCommerce with the Docket plugin installed
Discovery Timeline
- 2024-08-29 - CVE-2024-43132 published to NVD
- 2024-09-13 - Last updated in NVD database
Technical Details for CVE-2024-43132
Vulnerability Analysis
The Docket plugin extends WooCommerce with wishlist and watchlist functionality, exposing endpoints that interact with the WordPress database. One or more of these endpoints accept user-controlled input and concatenate it directly into SQL statements without proper parameterization or escaping. Because the vulnerable endpoints do not require authentication, any remote attacker can reach them. The PatchStack advisory categorizes this as an unauthenticated SQL injection affecting versions up to and including 1.6.6, with the fix shipped in version 1.7.0.
WordPress provides safe query primitives such as $wpdb->prepare(), but plugins that build queries using string concatenation or fail to apply placeholders bypass these protections. An attacker exploiting this flaw can read arbitrary tables, including wp_users and wp_usermeta, to extract password hashes and session tokens.
Root Cause
The root cause is the failure to sanitize or parameterize input before incorporating it into SQL queries. Request parameters reach the database layer with special characters such as single quotes, comments, and UNION operators intact. This is a classic CWE-89 instance compounded by the absence of capability checks or nonce validation on the affected endpoints.
Attack Vector
Exploitation occurs over the network against the WordPress site hosting the vulnerable plugin. The attacker submits a crafted HTTP request to an exposed plugin endpoint, embedding SQL payloads in parameters processed by the vulnerable handler. No credentials, privileges, or user interaction are required. Typical payloads include UNION SELECT statements for data extraction and time-based blind injection variants when no error output is returned. The injected query executes with the privileges of the WordPress database user, which generally permits full read and write access to all WordPress tables.
The vulnerability mechanism is described in the PatchStack advisory. No public proof-of-concept code is available at the time of writing.
Detection Methods for CVE-2024-43132
Indicators of Compromise
- HTTP requests to Docket plugin endpoints containing SQL metacharacters such as ', --, UNION, SLEEP(, or INFORMATION_SCHEMA
- Unusually long query strings or POST bodies targeting WooCommerce wishlist or watchlist actions
- Spikes in admin-ajax.php or REST API traffic referencing Docket action names from a single source
- Unexpected database errors logged by WordPress or the underlying MySQL/MariaDB instance
Detection Strategies
- Inspect web server access logs for request parameters containing encoded SQL syntax targeting plugin handlers
- Enable WordPress debug logging and monitor wp-content/debug.log for SQL syntax errors originating from the Docket plugin
- Deploy a web application firewall (WAF) ruleset that flags SQL injection patterns on WooCommerce endpoints
- Compare installed plugin versions against the 1.7.0 fixed release across all WordPress instances
Monitoring Recommendations
- Forward web server, WordPress, and database logs to a centralized analytics platform for correlation
- Alert on authentication anomalies such as new administrator accounts or password resets following suspicious traffic
- Track outbound data volume from the database host to detect mass extraction attempts
How to Mitigate CVE-2024-43132
Immediate Actions Required
- Update the Docket (WooCommerce Collections / Wishlist / Watchlist) plugin to version 1.7.0 or later on every affected WordPress site
- Audit wp_users, wp_options, and WooCommerce order tables for unauthorized modifications
- Rotate WordPress administrator passwords, API keys, and any secrets stored in the database
- Review WooCommerce customer data exposure and follow applicable breach notification obligations
Patch Information
WPWeb Elite addressed the vulnerability in Docket version 1.7.0. Site administrators should update through the WordPress plugin dashboard or by replacing the plugin directory with the patched release. Refer to the PatchStack advisory for vendor confirmation.
Workarounds
- Deactivate and remove the Docket plugin until the update can be applied if immediate patching is not possible
- Deploy WAF rules that block SQL injection payloads on URLs and parameters used by the plugin
- Restrict access to WordPress admin and AJAX endpoints by IP allowlist where feasible
- Apply least-privilege database credentials so the WordPress user cannot execute administrative SQL operations
# Verify the installed Docket plugin version via WP-CLI
wp plugin get docket --field=version
# Update the plugin to the patched release
wp plugin update docket --version=1.7.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
