CVE-2024-13507 is a critical SQL Injection vulnerability identified in the GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress, affecting all versions up to and including 2.8.97. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping and lack of prepared statements for the user-supplied 'dist' parameter. This parameter is used in SQL queries without adequate sanitization, enabling unauthenticated attackers to inject arbitrary SQL code. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible. The vulnerability is time-based, meaning attackers can infer data by measuring response delays caused by injected SQL commands. The impact is primarily on confidentiality, allowing attackers to extract sensitive information from the backend database. The CVSS v3.1 base score is 7.5, reflecting high severity due to ease of exploitation and potential data leakage. No patches have been linked yet, and no known exploits are reported in the wild, but the risk remains significant given the plugin's widespread use in WordPress sites for business directories and classified listings.

The primary impact of CVE-2024-13507 is unauthorized disclosure of sensitive data stored in the WordPress site's database, including potentially user information, business listings, and other confidential data managed by the GeoDirectory plugin. Since the vulnerability allows unauthenticated attackers to perform SQL Injection, it can lead to data breaches without requiring any credentials. Although the vulnerability does not directly affect data integrity or availability, the exposure of confidential information can have severe consequences such as identity theft, competitive intelligence gathering, and reputational damage. Organizations relying on this plugin for business directories or classified listings risk losing customer trust and may face regulatory penalties if personal data is compromised. The ease of exploitation and lack of authentication requirements increase the likelihood of automated attacks and scanning by threat actors. This vulnerability could also serve as a foothold for further attacks if combined with other vulnerabilities in the WordPress environment.

1. Immediate upgrade: Organizations should monitor the vendor's announcements and apply any official patches or updates as soon as they become available. 2. Temporary workarounds: Until a patch is released, restrict access to the vulnerable plugin's endpoints by implementing web application firewall (WAF) rules that block or sanitize requests containing the 'dist' parameter or suspicious SQL syntax. 3. Input validation: Implement additional input validation and sanitization at the web server or application firewall level to detect and block SQL injection patterns targeting the 'dist' parameter. 4. Principle of least privilege: Ensure the database user account used by the WordPress site has minimal privileges, limiting the potential damage from SQL injection. 5. Monitoring and logging: Enable detailed logging of web requests and database queries to detect unusual activity indicative of SQL injection attempts. 6. Security scanning: Regularly scan WordPress installations with vulnerability scanners to identify the presence of vulnerable plugin versions. 7. Consider plugin alternatives: Evaluate alternative plugins with better security track records if timely patching is not feasible. 8. Harden WordPress environment: Keep WordPress core, themes, and other plugins updated to reduce the attack surface and prevent chained exploits.