CVE-2021-24462: 
WordPress vulnerability analysis and mitigation

CVE-2021-24462 affects the Photo Gallery by Ays - Responsive Image Gallery WordPress plugin versions below 4.4.4. The vulnerability was discovered by To Quang Duong and was publicly disclosed on June 29, 2021. This security issue involves authenticated blind SQL injection vulnerabilities in the plugin's admin dashboard functionality (WPScan).

The vulnerability stems from improper input validation in the getgallerycategories() and getgalleries() functions. These functions fail to properly whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults() DB calls. The vulnerability has been assigned a CVSS score of 7.6 (High), and is classified as a SQL Injection (SQLI) vulnerability under OWASP Top 10 category A1: Injection and CWE-89 (WPScan).

The vulnerability allows authenticated users with access to the admin dashboard to perform SQL injection attacks. This could potentially lead to unauthorized access to the database, data manipulation, and exposure of sensitive information stored in the WordPress database (WPScan).

The vulnerability has been fixed in version 4.4.4 of the Photo Gallery by Ays - Responsive Image Gallery plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).