CVE-2024-13713 identifies a SQL Injection vulnerability in the WPExperts Square For GiveWP plugin for WordPress, present in all versions up to and including 1.3.1. The vulnerability stems from improper neutralization of special elements in the 'post' parameter used in SQL commands, classified under CWE-89. Specifically, the plugin fails to sufficiently escape user-supplied input and does not use prepared statements or parameterized queries, allowing attackers to append arbitrary SQL queries to existing database commands. This flaw can be exploited by authenticated users with as low as Subscriber-level privileges, which is notable since Subscribers typically have minimal access rights. The attack does not require user interaction and can be performed remotely over the network. Successful exploitation enables attackers to extract sensitive information from the WordPress database, such as user data or configuration details, thereby compromising confidentiality. The CVSS v3.1 base score is 6.5 (medium), reflecting the network attack vector, low attack complexity, and the requirement for privileges but no user interaction. No integrity or availability impacts are reported. No known public exploits have been observed yet, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of a patch link suggests that a fix may not yet be released, emphasizing the need for interim mitigations.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored in the WordPress database, which may include user credentials, personal data, donation records, or other confidential content managed by the GiveWP plugin. Since the vulnerability can be exploited by users with Subscriber-level access, attackers can leverage compromised or low-privilege accounts to escalate their capabilities and extract data beyond their authorization. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential financial losses for organizations relying on the affected plugin. Although the vulnerability does not affect data integrity or availability, the breach of confidentiality alone can have severe consequences, especially for non-profit organizations or businesses handling sensitive donor information. The ease of exploitation (low complexity) and network accessibility increase the risk profile, particularly for websites with many registered users or weak account security. Organizations worldwide using the GiveWP plugin are at risk until remediation is applied.

1. Immediately restrict Subscriber-level user capabilities to the minimum necessary, and audit existing accounts for suspicious activity. 2. Monitor web server and database logs for unusual SQL query patterns or unauthorized data access attempts related to the 'post' parameter. 3. Apply strict input validation and sanitization on all user-supplied parameters, especially 'post', using whitelist approaches where feasible. 4. Implement parameterized queries or prepared statements in the plugin code to prevent SQL Injection; if unable to patch immediately, consider disabling the vulnerable functionality temporarily. 5. Keep WordPress core, themes, and all plugins updated; monitor the WPExperts Square For GiveWP plugin repository or vendor announcements for official patches addressing CVE-2024-13713. 6. Employ Web Application Firewalls (WAFs) with SQL Injection detection rules to block exploitation attempts. 7. Educate administrators and users about the risks of low-privilege account compromise and enforce strong authentication policies, including MFA where possible. 8. Conduct regular security assessments and penetration testing focusing on plugin vulnerabilities to detect similar issues proactively.