CVE-2024-13095: 
WordPress vulnerability analysis and mitigation

The WP Triggers Lite WordPress plugin through version 2.5.3 contains a SQL injection vulnerability identified as CVE-2024-13095. The vulnerability was discovered by Bob Matyas and publicly disclosed on January 6, 2025. The issue affects the plugin's parameter handling in the admin interface, where insufficient sanitization and escaping of input allows authenticated administrators to perform SQL injection attacks (WPScan).

The vulnerability stems from improper input validation where a parameter is not properly sanitized and escaped before being used in SQL statements. The CVSS v3.1 score is 4.8 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. A proof of concept exploit involves accessing the URL path '/wp-admin/admin.php?page=add-trigger&trigger_id=' with a malicious SQL payload (WPScan).

The vulnerability allows authenticated administrators to perform SQL injection attacks against the WordPress database. This could potentially lead to unauthorized access to data, manipulation of database contents, and possible escalation of privileges (WPScan).

Currently, there is no known fix available for this vulnerability. Users should consider disabling the plugin until a security patch is released (WPScan).