CVE-2024-13726
published 2025-02-17CVE-2024-13726: The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to…
PriorityP265high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
1.91%
77.2th percentile
The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themescoder | themes_coder | <= 1.3.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
status_code == 200
bytes
4a0a00473045022100c7214d44bb95ba796a38eafb8c1ec46ffa67c6cf765a66d46487ea9f781cd18702206ad7eed7394c282a8eb65e9fb6e1e765b78201efbde82be42eb06a5ee28e80df:922c64590222798bb761d5b6d8e72950
- →The SQL injection is reachable via an AJAX action available to unauthenticated users — monitor WordPress AJAX endpoints (wp-admin/admin-ajax.php) for requests containing SQL metacharacters (e.g. single-quote payloads) targeting the Coder plugin. ↗
- →Probe/exploit traffic can be fingerprinted by the SQL injection canary value '6'' appended to the 'Themes Coder Ecommerce' parameter in the request body.
- ·The Coder WordPress plugin is only confirmed vulnerable through version 1.3.4; detections should be scoped to installations running <= 1.3.4. ↗
- ·The AJAX action is accessible to unauthenticated users, meaning no authentication bypass is required — detection rules should not filter out unauthenticated sessions. ↗
- ·The rule digest provided in the source may be used to verify rule integrity; validate the digest before deploying the detection rule in production.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Themes Coder Ecommerce <= 1.3.4 - SQL Injection
nuclei·CVSS 8.6
CVE-2024-13726 [HIGH] Themes Coder Ecommerce <= 1.3.4 - SQL Injection
Themes Coder Ecommerce = 6'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100c7214d44bb95ba796a38eafb8c1ec46ffa67c6cf765a66d46487ea9f781cd18702206ad7eed7394c282a8eb65e9fb6e1e765b78201efbde82be42eb06a5ee28e80df:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2025-02-17
Published