CVE-2021-24666: 
WordPress vulnerability analysis and mitigation

The Podlove Podcast Publisher WordPress plugin before version 3.5.6 contains a critical SQL injection vulnerability (CVE-2021-24666). The vulnerability exists in the 'Social & Donations' module, which is not activated by default. The affected component adds a REST route '/services/contributor/(?P[\d]+)' that accepts 'id' and 'category' parameters, both of which are vulnerable to SQL injection attacks (WPScan).

The vulnerability is classified as an SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue allows unauthenticated attackers to inject malicious SQL queries through either the 'id' or 'category' parameters in the REST API endpoint. The vulnerability can be exploited when the 'Social & Donations' module is activated (NVD, WPScan).

If successfully exploited, this vulnerability allows attackers to execute arbitrary SQL queries against the WordPress database, potentially leading to unauthorized access to sensitive data, including user credentials, and possible database manipulation (WPScan).

The vulnerability was patched in version 3.5.6 of the Podlove Podcast Publisher plugin. Users should update to this version or later to protect against this vulnerability. The fix includes proper input validation for both the 'id' and 'category' parameters (GitHub Patch).