CVE-2021-24285: 
WordPress vulnerability analysis and mitigation

CVE-2021-24285 is an Unauthenticated SQL Injection vulnerability discovered in the Car Seller - Auto Classifieds Script WordPress plugin versions 2.1.0 and below. The vulnerability was publicly disclosed on April 26, 2021, and was discovered by Shreya Pohekar of Codevigilant Project (WPScan).

The vulnerability exists in the requestlistrequest AJAX call of the plugin, which is accessible to both authenticated and unauthenticated users. The security flaw stems from the plugin's failure to properly sanitize, validate, or escape the order_id POST parameter before using it in a SQL statement. The vulnerability has been assigned a critical CVSS score of 9.9 and is classified as an OWASP Top 10 A1: Injection vulnerability with CWE-89 categorization (WPScan).

This vulnerability allows unauthenticated attackers to perform SQL injection attacks against affected WordPress installations, potentially leading to unauthorized access to sensitive database information and possible database manipulation (WPScan).

As of the vulnerability disclosure, there was no known fix available for this security issue. Website administrators running the affected plugin versions should consider either removing the plugin or implementing additional security measures at the web application firewall level (WPScan).