CVE-2021-24554: 
WordPress vulnerability analysis and mitigation

The Paytm - Donation Plugin WordPress plugin through version 1.3.2 contains an authenticated SQL injection vulnerability. The vulnerability was discovered by Shreya Pohekar of Codevigilant and was assigned CVE-2021-24554. The issue was identified on June 1, 2021, and publicly disclosed on July 23, 2021 (CodeVigilant).

The vulnerability exists in the delete order functionality where the 'id' GET parameter is passed directly into an SQL statement without proper sanitization, validation, or escaping. The vulnerable code is located in wp-paytm-pay-listings.php on line 22. The CVSS score for this vulnerability is 6.8 (medium), and it is classified as an Injection vulnerability (OWASP Top 10 A1) with CWE-89 (WPScan).

When exploited, this vulnerability allows authenticated users with administrator privileges to perform SQL injection attacks against the WordPress database through the plugin's donation deletion feature (CodeVigilant).

The plugin has been closed since June 3, 2021, and there is no known fix available. Users are advised to remove the plugin and find alternative solutions (CodeVigilant).