CVE-2021-24628: 
WordPress vulnerability analysis and mitigation

The Wow Forms WordPress plugin through version 3.1.3 contains an authenticated SQL injection vulnerability identified as CVE-2021-24628. The vulnerability was discovered by Shreya Pohekar of Codevigilant and was initially identified on June 15, 2021, with public disclosure occurring on October 7, 2021. The vulnerability affects the plugin's form deletion functionality in the WordPress admin dashboard (CodeVigilant, WPScan).

The vulnerability stems from improper sanitization of the 'did' GET parameter in the form deletion functionality. When deleting a form in the admin dashboard, this parameter is directly inserted into an SQL statement without proper validation or escaping. The vulnerability has been assigned a CVSS score of 7.6 (High) and is classified as CWE-89 (SQL Injection). The vulnerable code is located in main.php line 13, where the raw GET parameter is directly used in the SQL query (CodeVigilant, WPScan).

The vulnerability allows authenticated users with administrator access to perform SQL injection attacks against the WordPress database. This could potentially lead to unauthorized database access, data manipulation, or information disclosure (WPScan).

As of the latest reports, there is no known fix for this vulnerability. The plugin has been closed since June 18, 2021. Website administrators using the affected plugin should consider removing it or implementing additional security measures to restrict access to the admin dashboard (WPScan).