CVE-2021-25109: 
WordPress vulnerability analysis and mitigation

The Futurio Extra WordPress plugin before version 1.6.3 contains a SQL Injection vulnerability identified as CVE-2021-25109. This security issue affects high-privilege users and was discovered in January 2022. The vulnerability impacts the plugin's data handling functionality and could potentially be exploited for both data extraction and cross-site scripting attacks (WPScan).

The vulnerability is classified as a SQL Injection (SQLI) with a CVSS v3.1 Base Score of 2.7 (LOW) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. It is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability specifically affects the admin-ajax.php endpoint through the 'dilazmbquery_select' action (NVD, WPScan).

The vulnerability allows high-privilege users to extract sensitive data from the database. Additionally, it can be leveraged to perform Cross-Site Scripting (XSS) attacks against logged-in administrators by compelling them to open malicious links (WPScan).

The vulnerability has been patched in version 1.6.3 of the Futurio Extra plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).