CVE-2024-13680 is an SQL Injection vulnerability classified under CWE-89 found in the Form Builder CP plugin for WordPress, specifically in all versions up to and including 1.2.41. The vulnerability stems from insufficient escaping and lack of prepared statements when processing the 'id' parameter of the 'CP_EASY_FORM_WILL_APPEAR_HERE' shortcode. This flaw allows authenticated users with Contributor-level access or higher to append arbitrary SQL queries to existing database queries. Because the plugin fails to properly neutralize special SQL elements, attackers can manipulate the SQL commands executed by the database, potentially extracting sensitive information such as user data or site configuration details. The vulnerability requires no user interaction but does require authentication, limiting exploitation to users with some level of access. The CVSS 3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, and partial confidentiality impact without affecting integrity or availability. No patches or known exploits have been reported at the time of publication. The vulnerability affects all versions of the plugin up to 1.2.41, which is widely used in WordPress environments for form creation and management.

The primary impact of CVE-2024-13680 is unauthorized disclosure of sensitive information stored in the WordPress database. Attackers with Contributor or higher privileges can exploit the SQL Injection to extract data beyond their normal access rights, potentially including user credentials, personal information, or site configuration details. This can lead to privacy violations, data breaches, and further exploitation such as privilege escalation or targeted attacks. Although the vulnerability does not directly affect data integrity or availability, the exposure of confidential data can undermine trust and compliance with data protection regulations. Organizations running WordPress sites with this plugin are at risk, especially those with multiple contributors or less stringent access controls. The ease of exploitation (low complexity) combined with network accessibility increases the likelihood of attacks if the vulnerability is not mitigated promptly.

To mitigate CVE-2024-13680, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of patches, immediate steps include restricting Contributor-level access and above to trusted users only, minimizing the attack surface. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'id' parameter in the shortcode can provide temporary protection. Site administrators should audit user roles and permissions to ensure no unnecessary privileges are granted. Additionally, monitoring database query logs for unusual or unexpected queries can help detect exploitation attempts. Developers maintaining the plugin or custom code should refactor the vulnerable SQL queries to use parameterized prepared statements and properly sanitize all user inputs. Regular backups and incident response plans should be in place to recover from potential data breaches.