CVE-2024-1981: 
WordPress vulnerability analysis and mitigation

The Migration, Backup, Staging – WPvivid plugin for WordPress contains a SQL Injection vulnerability (CVE-2024-1981) in version 0.9.68. The vulnerability exists in the 'table_prefix' parameter due to insufficient escaping of user-supplied input and inadequate SQL query preparation. This security flaw allows unauthenticated attackers to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database (NVD).

The vulnerability specifically affects the wpvividstgstartstagingprogressfree function through the table_prefix parameter. When malicious SQL queries are injected through this parameter, the system returns SQL exceptions that indicate successful SQL injection. The vulnerability has received a CVSS v3.1 base score of 9.1 (CRITICAL) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, while Wordfence assessed it at 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, HiSolutions Research).

The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries, potentially leading to unauthorized access to sensitive database information. The high severity scores indicate that successful exploitation could result in significant data breaches and system compromise (NVD).

The vulnerability has been patched in version 0.9.69 of the WPvivid plugin. The fix involves disabling the vulnerable wpvividstgstartstagingfree action in the includes/staging/class-wpvivid-staging.php file. Users are strongly advised to upgrade to version 0.9.69 or higher as soon as possible ([WordPress Patch](https://plugins.trac.wordpress.org/changeset?oldpath=%2Fwpvivid-backuprestore%2Ftrunk&old=2667839&new_path=%2Fwpvivid-backuprestore%2Ftrunk&new=2667839)).