CVE-2021-24631: 
WordPress vulnerability analysis and mitigation

The Unlimited PopUps WordPress plugin through version 4.5.3 contains an authenticated SQL Injection vulnerability (CVE-2021-24631). The vulnerability was identified by Shreya Pohekar and was first disclosed to WPScan on June 15, 2021, with public disclosure occurring on October 7, 2021. The vulnerability affects users with editor-level privileges or higher (CodeVigilant).

The vulnerability stems from improper sanitization of the 'did' GET parameter in the delete popup feature. When this parameter is processed, it is directly inserted into an SQL statement without proper validation or escaping. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-89 (SQL Injection) (NVD, WPScan).

The SQL injection vulnerability could allow authenticated users with editor privileges to execute arbitrary SQL commands against the WordPress database. This could potentially lead to unauthorized access to sensitive data, modification of database contents, and possible escalation of privileges (WPScan).

The plugin has been closed since June 22, 2021, and there is no known fix available for this vulnerability. Users are advised to remove the plugin from their WordPress installations (WPScan).