CVE-2024-13320 is a SQL Injection vulnerability identified in the CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress, specifically affecting all versions up to and including 2.3.6. The root cause is insufficient escaping and lack of proper preparation of the 'wc_filter_price_meta[where]' parameter, which is user-supplied and incorporated directly into SQL queries. This improper neutralization of special elements (CWE-89) enables unauthenticated attackers to append arbitrary SQL commands to existing queries. As a result, attackers can extract sensitive information from the underlying database, compromising confidentiality without affecting integrity or availability. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score of 7.5 reflects the ease of exploitation (low attack complexity), no privileges required, and high confidentiality impact. Although no public exploits are currently known, the widespread use of WooCommerce and this plugin in e-commerce environments elevates the risk. The vulnerability highlights the importance of proper input validation, parameterized queries, and escaping in WordPress plugin development to prevent injection attacks.

The primary impact of CVE-2024-13320 is unauthorized disclosure of sensitive data stored in the WordPress site's database, which may include customer information, transaction details, and other confidential business data. This can lead to privacy violations, regulatory non-compliance, reputational damage, and potential financial losses. Since the vulnerability does not affect integrity or availability, attackers cannot modify or delete data or disrupt service directly, but the exposure of sensitive data alone can have severe consequences. Organizations running e-commerce sites with this plugin are at risk of data breaches that could undermine customer trust and invite legal penalties. The ease of exploitation without authentication increases the threat level, making automated scanning and mass exploitation plausible if an exploit becomes publicly available. Additionally, attackers could use extracted data to facilitate further attacks such as phishing or credential stuffing. The vulnerability's presence in a popular WordPress plugin amplifies its potential impact globally.

To mitigate CVE-2024-13320, organizations should immediately update the CURCY - WooCommerce Multi Currency - Currency Switcher plugin to a patched version once available. In the absence of an official patch, administrators should consider temporarily disabling the plugin to eliminate exposure. Applying Web Application Firewall (WAF) rules that detect and block SQL injection patterns targeting the 'wc_filter_price_meta[where]' parameter can provide interim protection. Developers and site administrators should audit custom code and plugin configurations to ensure all user inputs are properly sanitized and parameterized before database queries. Employing principle of least privilege on database accounts limits the potential damage from successful injection. Regularly monitoring logs for suspicious query patterns and unusual database access can help detect exploitation attempts early. Finally, organizations should maintain up-to-date backups and have an incident response plan to address potential data breaches stemming from this vulnerability.