CVE-2024-13680: 
WordPress vulnerability analysis and mitigation

The Form Builder CP plugin for WordPress (CVE-2024-13680) contains a SQL Injection vulnerability that affects all versions up to and including 1.2.41. The vulnerability was discovered by Peter Thaleikis and publicly disclosed on January 23, 2025. The issue exists in the 'id' parameter of the 'CP_EASY_FORM_WILL_APPEAR_HERE' shortcode (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the plugin. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (SQL Injection) (Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to append additional SQL queries to existing ones. This capability can be leveraged to extract sensitive information from the WordPress database (NVD).

A patch has been released to address this vulnerability. Users are advised to update their Form Builder CP plugin to a version newer than 1.2.41 (WordPress Patch).