CVE-2021-24484: 
WordPress vulnerability analysis and mitigation

CVE-2021-24484 is a SQL injection vulnerability discovered in the WordPress plugin Secure Copy Content Protection and Content Locking versions below 2.6.7. The vulnerability was publicly disclosed on June 29, 2021, and was discovered by security researcher To Quang Duong (WPScan).

The vulnerability exists in the getreports() function of the plugin, which fails to properly validate or whitelist the orderby parameter before using it in SQL statements passed to the getresults() DB calls. This results in SQL injection vulnerabilities that can be exploited through the admin dashboard. The vulnerability has been assigned a CVSS score of 7.6 (High) and is classified as a CWE-89 type vulnerability under the OWASP Top 10 category A1: Injection (WPScan).

The vulnerability allows authenticated users with access to the admin dashboard to perform SQL injection attacks, potentially leading to unauthorized access to the database and manipulation of stored data (WPScan).

The vulnerability has been fixed in version 2.6.7 of the Secure Copy Content Protection and Content Locking plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).