CVE-2024-13184
Description
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to time-based SQL Injection via the Login Attempts module in all versions up to, and including, 3.0.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WP Extended plugin for WordPress (up to v3.0.12) contains an unauthenticated time-based SQL injection in its Login Attempts module.
Vulnerability
Description
The Ultimate WordPress Toolkit – WP Extended plugin contains a time-based SQL injection vulnerability in its Login Attempts module. The root cause is insufficient escaping of a user-supplied parameter combined with a lack of prepared statements in the existing SQL query. This affects all versions up to and including 3.0.12 [1].
Exploitation
Method
An unauthenticated attacker can exploit this flaw by sending specially crafted requests to the login functionality. Because the parameter is not properly sanitized and the query is not prepared, the attacker can inject SQL syntax that causes time delays, enabling blind injection techniques. No authentication is required, and the attack can be performed remotely over HTTP [1].
Impact
Successful exploitation allows the attacker to append additional SQL queries to the original query. This can be used to extract sensitive information from the WordPress database, such as user credentials, session tokens, or private content. Time-based SQL injection is slower but reliable for data exfiltration when direct output is not visible [1].
Mitigation
Users must update to a patched version of the plugin. The vendor has released a fix, and the vulnerability is addressed in versions after 3.0.12. No workaround is available; updating the plugin is the only known mitigation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/wpextended/trunk/includes/modules/core_extensions/wpext_limit_login_attempts/wpext_limit_login_attempts.phpnvd
- plugins.trac.wordpress.org/changeset/3220003/nvd
- wordpress.org/plugins/wpextended/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/abab29c7-88a9-4c6f-9691-ed9087cde2ffnvd
News mentions
0No linked articles in our index yet.