CVE-2024-0566: 
WordPress vulnerability analysis and mitigation

The Smart Manager WordPress plugin before version 8.28.0 contains a SQL injection vulnerability (CVE-2024-0566). The vulnerability stems from improper sanitization and escaping of parameters in SQL statements, which can be exploited by users with high-level privileges such as administrators. This vulnerability was discovered by Ivan Spiridonov and was publicly disclosed on January 18, 2024 (WPScan Advisory).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 7.2 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue exists in the plugin's handling of parameters in SQL statements, specifically in the admin-ajax.php endpoint with the 'sm_beta_include_file' action. The vulnerability can be exploited through specially crafted POST requests to the affected endpoint (NVD Database, WPScan Advisory).

If exploited, this vulnerability could allow authenticated administrators to perform SQL injection attacks, potentially leading to unauthorized access to database contents, modification of data, or execution of arbitrary SQL commands (WPScan Advisory).

Users should upgrade to Smart Manager version 8.28.0 or later, which contains fixes for this vulnerability (WPScan Advisory).