CVE-2024-13321
Published: 14 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2024-13321 is a SQL injection vulnerability in the AnalyticsWP plugin for WordPress, affecting all versions up to and including 2.0.0. The issue stems from insufficient authorization checks in the handle_get_stats() function, which allows the 'custom_sql' parameter to be abused. This enables attackers to append additional SQL queries to existing ones, facilitating the extraction of sensitive information from the database. The vulnerability is classified under CWE-89 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity, requiring no user privileges or interaction. Exploitation allows remote extraction of confidential database information, such as user credentials or other sensitive data stored in WordPress sites running the plugin, without impacting integrity or availability.
Mitigation details are available in advisories from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f6507318-92c0-457c-8c87-2d023428a77f?source=cve and the plugin's official site at https://analyticswp.com/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin enables remote unauthenticated exploitation of web applications (T1190) and direct unauthorized data collection from databases (T1213.006).