CVE-2024-13726

HighPublic PoC

Published: 17 February 2025

Published

17 February 2025

Modified

21 May 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.1190 93.8th percentile

Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Description

The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Security Summary

CVE-2024-13726 is a SQL injection vulnerability (CWE-89) affecting the Coder WordPress plugin through version 1.3.4. The plugin fails to properly sanitize and escape a parameter before incorporating it into a SQL statement via an AJAX action that is accessible to unauthenticated users, enabling arbitrary SQL query execution.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. The CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) reflects its high severity, particularly due to the scoped impact on confidentiality, allowing attackers to extract sensitive data from the underlying database.

Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/ec226d22-0c09-4e7c-86ec-b64819089b60/. The vulnerability was published on 2025-02-17.

Details

CWE(s): CWE-89

Affected Products

themescoder

themes coder

≤ 1.3.4

References

https://wpscan.com/vulnerability/ec226d22-0c09-4e7c-86ec-b64819089b60/
Exploit, Third Party Advisory · contact@wpscan.com