CVE-2024-0610: 
WordPress vulnerability analysis and mitigation

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress (versions up to and including 1.6.5.1) contains a time-based blind SQL Injection vulnerability identified as CVE-2024-0610. The vulnerability was discovered and disclosed on February 17, 2024. This security issue affects the 'MerchantReference' parameter due to insufficient escaping of user-supplied input and inadequate SQL query preparation (NVD).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 9.8 (CRITICAL), indicating maximum severity. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which shows that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database. Given the CVSS score of 9.8, this represents a critical security risk with potential for complete system compromise (NVD).

A patch has been released to address this vulnerability. Users should upgrade to versions newer than 1.6.5.1 of the Piraeus Bank WooCommerce Payment Gateway plugin (WordPress Patch).