CVE-2024-13369 is a time-based SQL Injection vulnerability identified in the WordPress plugin Tour Master - Tour Booking, Travel, Hotel, affecting all versions up to and including 5.3.6. The vulnerability arises from improper neutralization of special elements in the 'review_id' parameter, which is insufficiently escaped and inadequately prepared in SQL queries. This flaw allows authenticated attackers with at least Subscriber-level privileges to inject additional SQL commands into existing queries. The injection is time-based, enabling attackers to infer data by measuring response delays, thus extracting sensitive information from the backend database. The vulnerability does not require user interaction but does require authentication, limiting the attack surface to users with some level of access. The plugin is widely used in WordPress sites related to travel, hotel booking, and tour management, making the vulnerability relevant to organizations in the tourism sector. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with a vector showing network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability poses a risk of sensitive data disclosure if exploited.

The primary impact of CVE-2024-13369 is unauthorized disclosure of sensitive information stored in the backend database of affected WordPress sites using the Tour Master plugin. Attackers with Subscriber-level access can exploit the vulnerability to extract data such as user details, booking information, and potentially payment or personal data, depending on the database schema. Although the vulnerability does not affect data integrity or availability, the confidentiality breach can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial losses. Organizations operating in the travel and hospitality sectors, which often handle sensitive customer data, are particularly at risk. The requirement for authentication limits exploitation to insiders or compromised accounts, but this does not eliminate the threat, especially in environments with weak access controls or credential reuse. The absence of known exploits in the wild suggests limited current exploitation, but the vulnerability's medium severity and ease of exploitation warrant prompt remediation to prevent future attacks.

To mitigate CVE-2024-13369, organizations should immediately update the Tour Master plugin to a patched version once released by GoodLayers. Until a patch is available, implement the following specific measures: 1) Restrict Subscriber-level user permissions to the minimum necessary, removing unnecessary access to the vulnerable functionality; 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'review_id' parameter; 3) Conduct thorough code reviews and apply manual input validation and parameterized queries or prepared statements in the plugin code if possible; 4) Monitor logs for unusual database query patterns or delays indicative of time-based SQL injection attempts; 5) Enforce strong authentication and credential hygiene to reduce the risk of account compromise; 6) Isolate the WordPress environment and database with strict network segmentation to limit lateral movement in case of exploitation; 7) Regularly back up databases and test restoration procedures to mitigate potential data loss from future incidents. These targeted actions go beyond generic advice by focusing on the specific vulnerable parameter, user roles, and plugin context.