CVE-2021-24952: 
WordPress vulnerability analysis and mitigation

The Conversios.io WordPress plugin (also known as enhanced-e-commerce-for-woocommerce-store) before version 4.6.2 contains a SQL injection vulnerability identified as CVE-2021-24952. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on February 1, 2022 (WPScan).

The vulnerability stems from improper handling of the sync_progressive_data parameter in the tvcajax_product_sync_bantch_wise AJAX action. The plugin fails to properly sanitize, validate, and escape this parameter before using it in SQL statements. The vulnerability has been assigned a CVSS score of 7.7 (High) and is classified as a SQL Injection (SQLI) vulnerability under OWASP Top 10 category A1: Injection and CWE-89 (WPScan).

This vulnerability allows any authenticated user, including those with subscriber-level access, to perform SQL injection attacks against the affected WordPress installation. This could potentially lead to unauthorized access to or manipulation of the database (WPScan).

The vulnerability has been fixed in version 4.6.2 of the Conversios.io plugin. Users are advised to update to this version or later to protect against potential SQL injection attacks (WPScan).