Critical Vulnerability in GamiPress Plugin Allows Hackers to Inject SQL Queries, Putting WordPress Sites at Risk

WordPress is one of the most popular content management systems (CMS) in the world, used by millions of websites. To enhance its functionality, numerous plugins are available. One such plugin is GamiPress, which adds gamification elements (reward and achievement systems) to websites.

However, cybersecurity researchers have recently discovered a critical SQL Injection vulnerability in this plugin’s code. Exploiting this flaw, hackers could send malicious SQL queries to the website’s database and gain unauthorized access to sensitive information.

Vulnerability Details

🔹 CVE Identifier: CVE-2024-13496
🔹 Severity Level: High (CVSS 3.1 Score – 7.5)
🔹 Affected Versions: GamiPress 7.2.1 and earlier
🔹 Fixed Version: 7.3.2 (Released on March 18, 2025)
🔹 Exploitation Requirements: No authentication required; an attacker only needs to send a specially crafted HTTP request

Cybersecurity researcher Abrahack discovered the vulnerability while analyzing GamiPress version 7.2.1. The flaw was found in the AJAX endpoint gamipress_get_logs, which used wp_ajax_nopriv_{$action}, allowing unauthenticated access.

The vulnerability stemmed from improper handling of the orderby parameter in SQL queries. Although the plugin attempted to sanitize input using sanitize_text_field(), it was insufficient to prevent exploitation. The main issue lay in the CT_Query class, where the orderby parameter was directly incorporated into an SQL query without proper validation.

As a result, attackers could send specially crafted HTTP requests containing malicious SQL code, gaining full control over the WordPress site’s database.

Why Is This Vulnerability Dangerous?

✅ No authentication required – Any hacker could attack the site without logging in.
✅ Full database access – Attackers could steal confidential data, including user credentials and other sensitive information.
✅ Potential site takeover or shutdown – Malicious SQL queries could corrupt or completely disable the database, rendering the site unusable.

GamiPress developers addressed the issue in version 7.3.2 by implementing a whitelist-based approach for the orderby parameter, restricting it to predefined safe column names. This effectively prevents attackers from injecting malicious SQL commands.

What Should WordPress Administrators Do?

✔ Immediately update GamiPress to version 7.3.2 or later.
✔ Review server logs for suspicious activity or unusual requests.
✔ Implement a Web Application Firewall (WAF) to block malicious SQL injection attempts.
✔ Follow WordPress security best practices, such as using only necessary plugins and keeping them up to date.

This vulnerability in GamiPress once again highlights the importance of WordPress site security. Immediate updates and proactive security measures are essential for site administrators to prevent potential exploitation.

This case serves as a reminder of the need for regular CMS and plugin security scans, timely updates, and strict cybersecurity practices.

If your WordPress site uses GamiPress or similar plugins, ensure continuous security monitoring and apply updates without delay!