CVE-2024-13846: 
WordPress vulnerability analysis and mitigation

The Indeed Ultimate Learning Pro plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2024-13846) in versions up to and including 3.9. The vulnerability was discovered and disclosed on February 21, 2025. The plugin is affected due to insufficient escaping of the 'post_id' parameter and inadequate preparation of existing SQL queries (NVD).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 score of AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The issue allows authenticated attackers with Administrator-level access or higher to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database (NVD).

The vulnerability allows authenticated attackers with administrative privileges to potentially extract sensitive information from the WordPress database through SQL injection attacks. The high confidentiality impact (C:H) in the CVSS score indicates that the vulnerability could lead to significant data exposure (NVD).

The vulnerability was addressed in version 3.9.1 released on February 20, 2025. Users are advised to update to this latest version to protect against potential exploitation (CodeCanyon).