CVE-2024-13184: 
WordPress vulnerability analysis and mitigation

The Ultimate WordPress Toolkit – WP Extended plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2024-13184) discovered in January 2025. The vulnerability affects all versions up to and including 3.0.12 and is specifically located in the Login Attempts module. This security issue impacts WordPress installations using the affected plugin versions (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the Login Attempts module. This allows unauthenticated attackers to append additional SQL queries to existing ones, potentially leading to unauthorized data extraction from the database. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database through SQL injection techniques. This could potentially lead to unauthorized access to confidential data stored in the database (NVD).

The vulnerability has been patched in version 3.0.13 of the WP Extended plugin. Users are advised to update to this version or later to address the security issue. The update includes fixes for the Login Attempts Module, specifically addressing the SQL Injection vulnerability and implementing proper sanitization of values (WordPress Plugin).