CVE-2024-13321: 
WordPress vulnerability analysis and mitigation

The AnalyticsWP plugin for WordPress contains a SQL Injection vulnerability (CVE-2024-13321) that affects all versions up to and including 2.0.0. The vulnerability was discovered and reported by Wordfence, with the initial CVE record being created on January 9, 2025 (CVE Details).

The vulnerability exists due to insufficient authorization checks in the handle_get_stats() function, specifically involving the 'custom_sql' parameter. This security flaw allows unauthenticated attackers to append additional SQL queries to existing queries. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Wordfence assessed it with a score of 7.5 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (SQL Injection) (NVD).

The vulnerability enables unauthenticated attackers to extract sensitive information from the database through SQL injection attacks. The high severity scores indicate that this vulnerability poses a significant risk to affected systems, potentially allowing unauthorized access to and extraction of sensitive data (NVD).

Users should upgrade their AnalyticsWP plugin to version 2.1.0 or later, as versions up to and including 2.0.0 are affected by this vulnerability (NVD).