Time-Based SQL Injection Vulnerability in GamiPress Plugin for WordPress
CVE-2024-13496

7.5HIGH

Key Information:

Vendor
Wordpress
Status
Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress
Vendor
CVE Published:
22 January 2025

Summary

The GamiPress plugin, designed for gamification in WordPress to manage points and achievements, contains a vulnerability that allows unauthenticated attackers to exploit time-based SQL Injection via the 'orderby' parameter. This issue arises from improper escaping of user-supplied inputs and inadequate preparation of SQL queries, enabling attackers to inject additional SQL commands into existing queries. If exploited, this could allow unauthorized users to extract sensitive information stored in the database, posing a significant risk to WordPress site security.

Affected Version(s)

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress * <= 7.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/gamipress/trun...
https://plugins.trac.wordpress.org/browser/gamipress/trun...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

abrahack
.