CVE-2024-13234: 
WordPress vulnerability analysis and mitigation

The Product Table by WBW plugin for WordPress contains a SQL Injection vulnerability (CVE-2024-13234) affecting all versions up to and including 2.1.2. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on January 23, 2025 (NVD Database).

The vulnerability exists due to insufficient escaping of the 'additionalCondition' parameter and inadequate preparation of existing SQL queries. This SQL injection vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Wordfence assigned a score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD Database).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database (NVD Database).

A patch has been released to address this vulnerability. Users should upgrade to version 2.1.3 or later of the Product Table by WBW plugin (WordPress Patch).