CVE-2021-24138: 
WordPress vulnerability analysis and mitigation

The CVE-2021-24138 vulnerability affects the AdRotate WordPress plugin versions before 5.8.4. It is an authenticated SQL injection vulnerability that exists via the 'id' parameter. The vulnerability was discovered by Nguyen Anh Tien from SunCSR (Sun* Cyber Security Research) and was publicly disclosed on June 3, 2020 (WPScan).

The vulnerability is classified as an SQL injection (SQLI) with a CVSS score of 6.7 (medium severity) and is mapped to CWE-89. The issue exists in the plugin's statistics view where the 'id' parameter is not properly validated. The vulnerability can be exploited through the WordPress admin panel at the path 'wp-admin/admin.php?page=adrotate-statistics&view=group&id=' where malicious SQL queries can be injected. Notably, the plugin author initially misidentified this SQL injection vulnerability as an XSS issue, though the implemented fix addressed the underlying problem (WPScan).

The vulnerability allows an authenticated administrator to perform SQL injection attacks against the WordPress database. This could potentially lead to unauthorized access to database contents, manipulation of data, or extraction of sensitive information. Example proof-of-concept attacks demonstrated the ability to cause time delays in server responses and extract system information such as MySQL version details (WPScan).

The vulnerability has been fixed in AdRotate version 5.8.4. Users are advised to update to this version or later to mitigate the risk. The fix was implemented despite the initial misclassification of the vulnerability type (WPScan).