A significant security flaw has been identified in GamiPress, a widely used WordPress plugin that enables website owners to implement gamification and reward systems. This vulnerability, cataloged as CVE-2024-13496 with a CVSS 3.1 score of 7.5, allows unauthenticated attackers to inject malicious SQL queries, potentially compromising entire WordPress installations. The issue affects all GamiPress versions up to 7.3.1 and was addressed in version 7.3.2, released on March 18, 2025.
Discovery and Technical Details
Security researcher Abrahack uncovered the vulnerability during an offsite security assessment of GamiPress version 7.2.1. The flaw originates from improper input validation within the plugin’s log retrieval functionality, specifically the `gamipress_get_logs` AJAX endpoint. This endpoint is accessible without authentication through the WordPress hook `wp_ajax_nopriv_{$action}`, making it particularly susceptible to exploitation.
The core of the vulnerability lies in the handling of the `orderby` parameter in database queries. Although the code attempts to sanitize inputs using `sanitize_text_field()`, the vulnerability manifests further down the execution chain in the `CT_Query` class, where the `orderby` parameter is unsafely incorporated into SQL queries. This oversight allows attackers to manipulate the `orderby` parameter to inject malicious SQL commands, leading to unauthorized data extraction or complete control over the website.
Risk Assessment
The unauthenticated nature of this SQL injection vulnerability significantly elevates its risk profile. Attackers can exploit this flaw without needing valid credentials, making it easier to execute and more dangerous. Potential impacts include unauthorized access to sensitive information, database manipulation, and full site takeover. Given the widespread use of GamiPress, the number of potentially affected websites is substantial, underscoring the urgency of addressing this issue.
Patch Implementation and Recommendations
In response to the discovery, the developers of GamiPress have implemented a whitelist approach for the `orderby` parameter, restricting it to a predefined list of valid columns in the database table. This measure effectively prevents attackers from injecting malicious SQL commands through this vector.
WordPress site administrators using the GamiPress plugin are strongly advised to update to version 7.3.2 or later immediately. Beyond updating the plugin, administrators should:
– Review Server Logs: Examine logs for any unusual or unauthorized activity that may indicate exploitation attempts.
– Implement Web Application Firewalls (WAFs): Deploy WAFs to provide an additional layer of protection against SQL injection and other web-based attacks.
– Adhere to Security Best Practices: Regularly update all plugins and themes, enforce strong password policies, and conduct periodic security audits to maintain the integrity of the website.
Broader Implications and Preventative Measures
This incident highlights the critical importance of regular security assessments and prompt patching in maintaining the security of WordPress sites. Plugins, while enhancing functionality, can introduce vulnerabilities if not properly managed. To mitigate such risks, website owners should:
– Conduct Regular Security Audits: Periodically assess the security posture of the website to identify and address vulnerabilities proactively.
– Limit Plugin Usage: Install only necessary plugins from reputable sources and ensure they are actively maintained.
– Stay Informed: Keep abreast of security advisories related to WordPress and its plugins to respond swiftly to emerging threats.
By implementing these measures, website administrators can significantly reduce the risk of exploitation and enhance the overall security of their WordPress installations.
