CVE-2021-24625: 
WordPress vulnerability analysis and mitigation

The SpiderCatalog WordPress plugin through version 1.7.3 contains a SQL injection vulnerability (CVE-2021-24625) that affects the admin dashboard. The vulnerability was discovered by Shreya Pohekar of Codevigilant and publicly disclosed on October 7, 2021. The issue affects the catalog plugin with no known fix available as the plugin has been closed (WPScan).

The vulnerability exists in the add category functionality available to users with administrator role. The plugin fails to properly sanitize or escape the 'parent' and 'ordering' POST parameters before using them in SQL statements when adding a category. The vulnerable code is located in Categories.php line 320. The vulnerability has been assigned a CVSS score of 6.8 (medium) and is classified as a SQL Injection vulnerability under OWASP Top 10 category A1: Injection and CWE-89 (WPScan, CodeVigilant).

When exploited, this vulnerability allows authenticated administrators to perform SQL injection attacks through the admin dashboard. An attacker could potentially extract sensitive information from the database or manipulate database contents by injecting malicious SQL queries (CodeVigilant).

There is no official fix available for this vulnerability as the plugin has been closed. The recommended mitigation is to remove the SpiderCatalog plugin from WordPress installations and find an alternative solution (WPScan).