CVE-2024-13532 is a SQL Injection vulnerability classified under CWE-89, found in the Small Package Quotes – Purolator Edition WordPress plugin developed by enituretechnology. This plugin, widely used for shipping rate calculations, improperly handles user-supplied input in the 'edit_id' and 'dropship_edit_id' parameters. Specifically, the plugin fails to adequately escape or prepare these parameters before incorporating them into SQL queries, allowing attackers to append arbitrary SQL commands. The vulnerability affects all versions up to and including 3.6.4. Because the exploit requires no authentication or user interaction and can be triggered remotely over the network, it presents a critical attack vector. Successful exploitation can lead to unauthorized disclosure of sensitive data stored in the backend database, such as customer information, shipping details, or other business-critical data. The CVSS v3.1 base score is 7.5, reflecting high severity primarily due to the confidentiality impact and ease of exploitation. Although no public exploits are currently known, the vulnerability's characteristics make it a prime target for attackers seeking to compromise WordPress sites using this plugin. The lack of a patch at the time of disclosure further increases risk.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information from the affected database, which can include customer data, shipping details, and potentially other confidential business information. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and financial losses. Since the vulnerability does not affect data integrity or availability, the risk is focused on confidentiality breaches. However, attackers could leverage extracted data for further attacks such as phishing or identity theft. The ease of exploitation without authentication or user interaction means that any exposed WordPress site running the vulnerable plugin is at immediate risk. Organizations relying on this plugin for shipping quotes, especially those handling sensitive customer or business data, face increased exposure. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the high severity score indicates urgent attention is needed.

1. Immediate action should be to update the Small Package Quotes – Purolator Edition plugin to a version that addresses this vulnerability once available. Monitor the vendor’s official channels for patch releases. 2. In the absence of an official patch, implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'edit_id' and 'dropship_edit_id' parameters. 3. Restrict access to the affected plugin’s endpoints by IP whitelisting or other network controls where feasible. 4. Conduct thorough input validation and sanitization on all user-supplied parameters at the application level, employing prepared statements or parameterized queries if modifying the plugin code is possible. 5. Regularly audit and monitor database access logs for suspicious queries or anomalies indicative of exploitation attempts. 6. Employ least privilege principles for database accounts used by the plugin to limit data exposure in case of compromise. 7. Educate site administrators on the risks and encourage timely updates of all WordPress plugins and themes to reduce attack surface.