CVE-2021-24492: 
WordPress vulnerability analysis and mitigation

CVE-2021-24492 is a SQL Injection vulnerability discovered in the Handsome Testimonials & Reviews WordPress plugin versions below 2.1.1. The vulnerability was identified by Shreya Pohekar of Codevigilant Project and was publicly disclosed on June 29, 2021. The issue affects the plugin's AJAX functionality and is exploitable by any authenticated user with subscriber-level access or higher (CodeVigilant, WPScan).

The vulnerability exists in the hndtstactioninstancecallback AJAX call of the plugin, where the hndtstpreviewShortcodeInstanceId POST parameter is not properly sanitized, validated, or escaped before being used in SQL statements. The vulnerability has been assigned a CVSS score of 9.9 (Critical) and is classified as CWE-89 (SQL Injection). The issue is present in the file tstshortcodegenerator.php at line 451, where the unsanitized input is directly used in a database query (CodeVigilant, WPScan).

This vulnerability allows authenticated users with subscriber-level access or higher to perform SQL injection attacks against the affected WordPress installations. Successful exploitation could lead to unauthorized access to the database, potentially exposing sensitive information or allowing manipulation of database contents (WPScan).

The vulnerability has been fixed in version 2.1.1 of the Handsome Testimonials & Reviews plugin. Site administrators are strongly advised to update to this version or later to protect against potential SQL injection attacks (WPScan).