CVE-2021-24506: 
WordPress vulnerability analysis and mitigation

The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before version 8.2.7 contains a SQL injection vulnerability (CVE-2021-24506). The vulnerability was discovered and publicly disclosed on July 26, 2021. The issue affects the plugin's hero-button shortcode functionality, where the id attribute is not properly sanitized or escaped before being used in SQL statements (WPScan).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 8.8 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper neutralization of special elements used in SQL commands within the hero-button shortcode functionality. Users with privileges as low as Contributor can exploit this vulnerability by manipulating the id attribute in SQL statements (NVD, WPScan).

The vulnerability allows attackers with Contributor-level access to perform SQL injection attacks against the WordPress database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, and possible escalation of privileges (WPScan).

The vulnerability has been fixed in version 8.2.7 of the Slider Hero plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).