CVE-2024-12109: 
WordPress vulnerability analysis and mitigation

The Product Labels For Woocommerce (Sale Badges) WordPress plugin before version 1.5.9 contains a SQL injection vulnerability. The plugin fails to properly sanitize and escape a parameter before using it in a SQL statement, which could allow administrators to perform SQL injection attacks (WPScan, NVD).

The vulnerability exists in the plugin's product list functionality where a parameter is not properly sanitized before being used in SQL queries. The issue has been assigned a CVSS v3.1 base score of 4.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N. The vulnerability is classified as CWE-89 (SQL Injection) and falls under the OWASP Top 10 category A1: Injection (WPScan).

The vulnerability allows authenticated administrators to perform SQL injection attacks through the product list functionality. While the impact is somewhat limited due to the high privileges required to exploit the vulnerability, it could potentially lead to unauthorized access to database information (WPScan).

Users are advised to update to version 1.5.9 or later of the Product Labels For Woocommerce plugin, which contains the fix for this vulnerability (WPScan).