CVE-2024-1118: 
WordPress vulnerability analysis and mitigation

The Podlove Subscribe button plugin for WordPress contains a UNION-based SQL Injection vulnerability (CVE-2024-1118) that affects all versions up to and including 1.3.10. The vulnerability exists in the 'button' attribute of the podlove-subscribe-button shortcode due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation (NVD).

The vulnerability stems from improper escaping of user input in the SQL query handling within the plugin. The issue specifically occurs in the base model's query handling where insufficient preparation of SQL statements allows for potential injection attacks. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to append additional SQL queries to existing queries. This capability can be leveraged to extract sensitive information from the WordPress database (NVD).

A patch has been released to address this vulnerability. The fix involves properly escaping SQL queries using WordPress's prepare statement functionality, as demonstrated in the commit that fixes the vulnerability (GitHub Patch). Users are advised to update to the latest version of the plugin.