CVE-2021-24521: 
WordPress vulnerability analysis and mitigation

The Side Menu Lite WordPress plugin versions before 2.2.1 contains an SQL injection vulnerability (CVE-2021-24521) that was discovered in June 2021. The vulnerability affects the menu update functionality of the plugin, where input values from the browser are not properly sanitized when building SQL statements. This security flaw specifically impacts users with administrator privileges or those who have permission to manage the plugin (WPScan).

The vulnerability exists in the file 'side-menu-lite/admin/partials/include-data.php' when the parameter $act equals 'duplicate'. The issue occurs because the 'id' parameter from GET requests is directly used in MySQL select statements without proper sanitization or validation. The vulnerability has been assigned a CVSS score of 3.8 (Low) and is classified as CWE-89 (SQL Injection). A proof of concept demonstrates that visiting a specially crafted URL with an injected SQL sleep command results in a delayed response, confirming the SQL injection vulnerability (GitHub POC).

The vulnerability allows authenticated users with administrator privileges to perform SQL injection attacks against the WordPress database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, or other malicious database operations (WPScan).

The vulnerability has been fixed in version 2.2.1 of the Side Menu Lite plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).