CVE-2024-13475 is a SQL Injection vulnerability identified in the Small Package Quotes – UPS Edition WordPress plugin developed by enituretechnology. The vulnerability exists in all versions up to and including 4.5.16 and is caused by improper neutralization of special elements in the 'edit_id' parameter. Specifically, the plugin fails to adequately escape or prepare the SQL query that incorporates this parameter, allowing an unauthenticated attacker to append arbitrary SQL commands. This can lead to unauthorized data extraction from the underlying database, compromising confidentiality. The vulnerability does not require any authentication or user interaction, increasing its exploitability. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits have been reported, the vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive customer or business data. The lack of a patch link indicates that a fix may not yet be available, necessitating immediate mitigation steps by administrators.

The primary impact of CVE-2024-13475 is the unauthorized disclosure of sensitive information stored in the database of affected WordPress sites. Attackers exploiting this vulnerability can extract data such as customer details, shipping information, or other confidential business data managed by the Small Package Quotes – UPS Edition plugin. This breach of confidentiality can lead to data leaks, privacy violations, and potential regulatory non-compliance. Since the vulnerability does not affect integrity or availability directly, attackers cannot modify or delete data or disrupt services through this flaw alone. However, the extracted information could be used for further attacks, including phishing, identity theft, or gaining deeper access into the network. Organizations worldwide that rely on this plugin for shipping quotes or logistics integration face increased risk of data compromise, which could damage reputation and customer trust. The ease of exploitation and unauthenticated access make this a critical threat that could be leveraged by cybercriminals or state-sponsored actors targeting e-commerce and logistics platforms.

To mitigate CVE-2024-13475, organizations should first check for and apply any official patches or updates released by enituretechnology as soon as they become available. In the absence of a patch, immediate steps include disabling or uninstalling the Small Package Quotes – UPS Edition plugin to eliminate the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the 'edit_id' parameter can provide temporary protection. Administrators should also enforce strict input validation and sanitization at the application level, ensuring that all user-supplied parameters are properly escaped or parameterized in SQL queries. Monitoring database logs and web server logs for unusual query patterns or repeated failed attempts can help detect exploitation attempts early. Additionally, restricting database user permissions to the minimum necessary can limit the impact of a successful injection. Regular security audits and vulnerability scanning of WordPress plugins should be institutionalized to identify similar risks proactively.