CVE-2024-6205 Overview
CVE-2024-6205 is an unauthenticated SQL injection vulnerability in the PayPlus Payment Gateway WordPress plugin. The flaw exists in versions before 6.6.9 and stems from improper sanitization of a parameter passed to a WooCommerce API route. Because the route is accessible without authentication, remote attackers can inject arbitrary SQL into database queries over the network.
The vulnerability is classified as SQL Injection [CWE-89] and carries a high EPSS probability, indicating active exploitation interest. Successful exploitation allows attackers to read, modify, or delete data stored in the WordPress database, including customer order data and administrative credentials.
Critical Impact
Unauthenticated remote attackers can execute arbitrary SQL queries against the WordPress database, exposing customer payment data, credentials, and full site integrity.
Affected Products
- PayPlus Payment Gateway WordPress plugin versions prior to 6.6.9
- WordPress sites using PayPlus with WooCommerce integration enabled
- Sites exposing the vulnerable WooCommerce API route to unauthenticated traffic
Discovery Timeline
- 2024-07-19 - CVE-2024-6205 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6205
Vulnerability Analysis
The PayPlus Payment Gateway plugin registers a WooCommerce API route that processes parameters from incoming HTTP requests. The plugin passes one of these parameters directly into a SQL statement without proper sanitization or parameterized query binding. This violation of safe database access patterns enables SQL injection.
Because the route does not enforce authentication or capability checks, any remote user can reach the vulnerable endpoint. Attackers can manipulate the affected parameter to break out of the intended SQL context and append arbitrary clauses. The injected SQL executes with the privileges of the WordPress database user, which typically has full read and write access to the site's database.
The high EPSS probability associated with this CVE reflects strong exploitation likelihood for this class of unauthenticated WordPress plugin flaw.
Root Cause
The root cause is the absence of parameterized queries or proper escaping using the WordPress $wpdb->prepare() API. The plugin concatenates user-controlled input directly into a SQL string. Compounding the issue, the WooCommerce API route lacks an authentication or permission callback, exposing the sink to unauthenticated traffic.
Attack Vector
An attacker sends a crafted HTTP request to the vulnerable WooCommerce API route exposed by the PayPlus plugin. The request includes a malicious payload in the unsanitized parameter. The payload alters the structure of the executed SQL query, enabling UNION-based data extraction, boolean-based blind exfiltration, or time-based blind exploitation.
No authentication, user interaction, or local access is required. The attack is fully remote and can be automated across exposed WordPress sites. See the WPScan Vulnerability Analysis for advisory details.
Detection Methods for CVE-2024-6205
Indicators of Compromise
- HTTP requests to PayPlus WooCommerce API routes containing SQL meta-characters such as single quotes, UNION SELECT, SLEEP(, or -- comment sequences
- Unexpected outbound database queries originating from the WordPress web server process
- New or modified WordPress administrator accounts in the wp_users table without corresponding admin activity logs
- Spikes in 500-series HTTP responses or unusually long response times on PayPlus endpoints, indicating blind SQLi probing
Detection Strategies
- Inspect web server access logs for requests to PayPlus plugin REST routes containing encoded SQL payloads
- Deploy a Web Application Firewall (WAF) ruleset that flags SQL injection patterns against /wp-json/ endpoints
- Monitor MySQL slow query and general query logs for anomalous queries originating from PayPlus code paths
- Compare installed plugin versions against the patched baseline of 6.6.9 or later across all managed WordPress sites
Monitoring Recommendations
- Centralize WordPress, web server, and database logs in a SIEM for correlation and retention
- Alert on consecutive failed or malformed requests to PayPlus API routes from a single source
- Track integrity of the wp_users, wp_usermeta, and wp_options tables for unauthorized modification
- Establish baseline request volumes for plugin endpoints to detect injection scanning campaigns
How to Mitigate CVE-2024-6205
Immediate Actions Required
- Upgrade the PayPlus Payment Gateway plugin to version 6.6.9 or later on every WordPress site
- Audit wp_users and administrator accounts for unauthorized additions or role changes
- Rotate WordPress administrator passwords, API keys, and database credentials if exploitation is suspected
- Block known SQL injection patterns at the WAF or reverse proxy layer until patching is complete
Patch Information
The vendor addressed this vulnerability in PayPlus Payment Gateway version 6.6.9. The fix introduces proper sanitization and parameterized query handling for the affected WooCommerce API route. Refer to the WPScan Vulnerability Analysis for advisory information and version details.
Workarounds
- Temporarily deactivate the PayPlus Payment Gateway plugin if immediate patching is not possible
- Restrict access to /wp-json/ PayPlus routes via web server rules until the plugin is updated
- Apply WAF signatures targeting SQL injection patterns on WooCommerce REST endpoints
- Limit database user privileges so the WordPress account cannot execute administrative SQL operations beyond what the application requires
# Update PayPlus plugin via WP-CLI to the patched version
wp plugin update payplus-payment-gateway --version=6.6.9
# Verify installed version
wp plugin get payplus-payment-gateway --field=version
# Deactivate as a temporary workaround if patching is delayed
wp plugin deactivate payplus-payment-gateway
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
