CVE-2021-24959: 
WordPress vulnerability analysis and mitigation

The WP Email Users WordPress plugin through version 1.7.6 contains a SQL injection vulnerability (CVE-2021-24959). The vulnerability exists because the plugin does not properly escape the dataraw parameter in the weuselectedusers1 AJAX action, which is accessible to any authenticated users. The vulnerability was discovered in January 2022 and publicly disclosed on January 31, 2022 (WPScan Advisory).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper input validation where the dataraw parameter in the weuselectedusers1 AJAX action is not properly escaped before being used in SQL queries (NVD, WPScan Advisory).

When exploited, this vulnerability allows authenticated users, including those with low-privilege roles like subscribers, to perform SQL injection attacks. This could lead to unauthorized access to sensitive information, including the ability to extract user email addresses and other data from the WordPress database (WPScan Advisory).

At the time of disclosure, there was no known fix available for this vulnerability. Users of the WP Email Users plugin version 1.7.6 or earlier should consider either removing the plugin or implementing additional security controls to restrict access to the affected functionality (WPScan Advisory).