CVE-2021-24753: 
WordPress vulnerability analysis and mitigation

The Rich Reviews by Starfish WordPress plugin versions before 1.9.6 contained a significant security vulnerability identified as CVE-2021-24753. The vulnerability was discovered and publicly disclosed on November 29, 2021. This security issue affects the plugin's pending reviews page functionality, specifically related to improper validation of the orderby GET parameter (WPScan).

The vulnerability is classified as an authenticated SQL injection (SQLi) issue with a CVSS v3.1 base score of 7.2 (HIGH), characterized by the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The weakness is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability exists in the pending reviews page where the orderby GET parameter is not properly sanitized before being used in SQL queries (NVD).

The vulnerability allows authenticated users with appropriate privileges to perform SQL injection attacks against the affected WordPress installations. This could potentially lead to unauthorized access to the database, data manipulation, and exposure of sensitive information stored in the WordPress database (WPScan).

The vulnerability has been patched in version 1.9.6 of the Rich Reviews plugin. Website administrators running affected versions should immediately update to version 1.9.6 or later to mitigate this security risk (WordPress Patch).