CVE-2024-11267: 
WordPress vulnerability analysis and mitigation

The JSP Store Locator WordPress plugin through version 1.0 contains a SQL injection vulnerability that affects users with Contributor-level access or higher. The vulnerability was discovered and publicly disclosed on May 15, 2025, and has been assigned CVE-2024-11267. This security flaw exists in the plugin's admin interface where a parameter is not properly sanitized before being used in SQL queries (WPScan).

The vulnerability is classified as SQL Injection (SQLI) and falls under the OWASP Top 10 category A1: Injection and CWE-89. It has received a CVSS v3.1 base score of 8.8 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability can be exploited through the admin interface at the path '/wp-admin/admin.php?page=jspsl-categories&action=delete&id=' where the id parameter is vulnerable to SQL injection (WPScan, NIST).

Successful exploitation of this vulnerability could allow an authenticated user with Contributor-level access to perform SQL injection attacks against the database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, or extraction of information from the database (Wiz).

Currently, there is no known fix available for this vulnerability. Website administrators are advised to consider removing the JSP Store Locator plugin until a security patch is released by the developer (WPScan).