CVE-2021-24754: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24754 affects the MainWP Child Reports WordPress plugin versions below 2.0.8. This SQL injection vulnerability was discovered and publicly disclosed on September 20, 2021. The issue exists in the admin dashboard of the plugin, where insufficient input validation could allow privileged users to perform SQL injection attacks (WPScan).

The vulnerability stems from improper validation and sanitization of the 'order' parameter in the admin dashboard SQL statements. The issue is classified as an SQL Injection (SQLI) vulnerability, falling under the OWASP Top 10 category A1: Injection and CWE-89. It has been assigned a CVSS score of 6.8 (medium severity). A proof of concept demonstrates that by manipulating the order parameter in the URL path '/wp-admin/options-general.php?page=mainwp-reports-page', an attacker can cause the web page to freeze for 5 seconds through a time-based SQL injection (WPScan).

The SQL injection vulnerability could potentially allow authenticated users with administrative access to manipulate database queries, potentially leading to unauthorized access to sensitive information stored in the WordPress database (WPScan).

The vulnerability has been fixed in version 2.0.8 of the MainWP Child Reports plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).