CVE-2021-24360: 
WordPress vulnerability analysis and mitigation

The Yes/No Chart WordPress plugin before version 1.0.12 contains a SQL injection vulnerability identified as CVE-2021-24360. The vulnerability was discovered and reported on January 14, 2021, affecting the plugin's sid shortcode parameter which was not properly sanitized before being used in SQL statements. This security flaw affects WordPress installations using the Yes/No Chart plugin versions prior to 1.0.12 (WPScan).

The vulnerability is classified as a Blind SQL Injection with a CVSS score of 8.3 (high). The security flaw exists in the sid shortcode parameter processing, where the lack of proper sanitization allows for SQL injection attacks. The vulnerability is categorized under OWASP Top 10 A1: Injection and CWE-89. The issue specifically affects users with contributor-level privileges or higher (WPScan).

When exploited, this vulnerability allows authenticated users with contributor-level access or higher to perform Blind SQL Injection attacks. Attackers can potentially extract sensitive data from the database by analyzing error messages returned by the system, specifically checking for 'invalid ID' or 'no question' responses (WPScan).

The vulnerability has been patched in version 1.0.12 of the Yes/No Chart WordPress plugin. Site administrators are advised to update to this version or later to mitigate the risk (WPScan).