CVE-2021-24458: 
WordPress vulnerability analysis and mitigation

CVE-2021-24458 is a SQL injection vulnerability affecting the WordPress plugin Popup box versions below 2.3.4. The vulnerability was discovered by To Quang Duong and was publicly disclosed on June 29, 2021. This security issue affects the plugin's admin dashboard functionality (WPScan).

The vulnerability exists in the getayspopupboxes() and getpopupcategories() functions of the plugin, which failed to properly validate or whitelist the orderby parameter before using it in SQL statements passed to the get_results() DB calls. This results in SQL injection vulnerabilities in the admin dashboard. The vulnerability has been assigned a CVSS score of 7.6 (High) and is classified as CWE-89, falling under the OWASP Top 10 category A1: Injection (WPScan).

The vulnerability allows authenticated users to perform SQL injection attacks through the admin dashboard, potentially leading to unauthorized access to or manipulation of the database (WPScan).

The vulnerability has been fixed in version 2.3.4 of the Popup box plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).