CVE-2021-24957: 
WordPress vulnerability analysis and mitigation

CVE-2021-24957 is a SQL injection vulnerability affecting the Advanced Page Visit Counter WordPress plugin versions below 6.1.6. The vulnerability was discovered by Krzysztof Zając and publicly disclosed on March 29, 2022. This security flaw affects the plugin's functionality that handles page visit counting in WordPress installations (WPScan).

The vulnerability stems from improper input validation where the plugin fails to properly escape the 'artID' parameter in the apvcresetcount_art AJAX action. This vulnerability is accessible to any authenticated user, including those with subscriber-level access. The CVSS score for this vulnerability is rated as high at 7.7, and it is classified as an SQL Injection (SQLI) vulnerability under the OWASP Top 10 category A1: Injection and CWE-89 (WPScan).

The SQL injection vulnerability could allow authenticated attackers to manipulate database queries, potentially leading to unauthorized access to sensitive data, modification of database contents, or compromise of the WordPress installation's integrity (WPScan).

The vulnerability has been fixed in version 6.1.6 of the Advanced Page Visit Counter plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).