CVE-2024-13496 is a time-based SQL Injection vulnerability identified in the GamiPress – Gamification plugin for WordPress, which is used to reward points, achievements, badges, and ranks. The vulnerability exists in all versions up to and including 7.3.1 due to insufficient escaping and improper handling of the 'orderby' parameter in SQL queries. This parameter is user-supplied and not properly sanitized, allowing attackers to inject arbitrary SQL commands into the query. The injection is time-based, meaning attackers can infer data by measuring response delays, facilitating extraction of sensitive information from the backend database. Notably, the vulnerability can be exploited by unauthenticated attackers without any user interaction, increasing its risk profile. The flaw was initially thought to be fixed in version 7.2.2, but the correct fix was only implemented in version 7.3.2. The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 score is 7.5 (high), reflecting its network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality. No known exploits have been reported in the wild yet, but the plugin’s popularity and WordPress’s extensive use make this a critical issue to address.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress database, including potentially user data, credentials, or configuration details. Since the attack requires no authentication and no user interaction, it can be executed remotely by any attacker aware of the vulnerability. This can lead to data breaches, privacy violations, and potential further exploitation of the compromised site or network. Organizations relying on GamiPress for gamification features in WordPress sites may face reputational damage, regulatory penalties, and loss of customer trust if exploited. Additionally, attackers could leverage the extracted data to facilitate more sophisticated attacks such as privilege escalation, lateral movement, or persistent access. The widespread deployment of WordPress and the popularity of GamiPress increase the scale of potential impact globally.

Organizations should immediately verify the version of GamiPress installed on their WordPress sites and upgrade to version 7.3.2 or later, where the vulnerability is properly fixed. If upgrading is not immediately possible, temporarily disabling the plugin or restricting access to the affected functionality via web application firewall (WAF) rules can reduce exposure. Implementing WAF rules that detect and block suspicious SQL injection patterns targeting the 'orderby' parameter is recommended. Additionally, site administrators should ensure that WordPress core, plugins, and themes are regularly updated to minimize exposure to known vulnerabilities. Employing principle of least privilege for database users and regularly auditing database access logs can help detect and limit damage from exploitation. Monitoring for unusual query patterns or response delays indicative of time-based SQL injection attempts is also advised. Finally, consider using security plugins that provide real-time protection against injection attacks.