CVE-2024-1512: 
WordPress vulnerability analysis and mitigation

The MasterStudy LMS WordPress Plugin for Online Courses and Education is affected by a union-based SQL Injection vulnerability (CVE-2024-1512) in versions up to and including 3.2.5. The vulnerability exists in the 'user' parameter of the /lms/stm-lms/order/items REST route due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation (NVD).

The vulnerability is classified as CWE-89 (SQL Injection) and has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue stems from improper neutralization of special elements used in SQL commands, allowing attackers to manipulate existing queries (NVD).

This vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database. The high CVSS score indicates critical severity with potential for complete compromise of system confidentiality, integrity, and availability (NVD).

Users should immediately update to a version newer than 3.2.5 of the MasterStudy LMS WordPress Plugin. The vulnerability has been patched in subsequent releases (NVD).