CVE-2024-22147: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2024-22147) was discovered in WP Overnight PDF Invoices & Packing Slips for WooCommerce plugin versions up to and including 3.7.5. The vulnerability was disclosed on January 12, 2024, and affects the get_numbers() function due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation (Patchstack, WPScan).

The vulnerability is classified as an SQL Injection (CWE-89) with a CVSS v3.1 base score of 7.2 (High) according to NVD, and 7.6 (High) according to Patchstack. The issue exists in the get_numbers() function where insufficient escaping of user-supplied parameters and lack of proper SQL query preparation allows for SQL injection attacks. The vulnerability requires authentication with shop manager-level access or higher privileges (NVD, Patchstack).

The vulnerability allows authenticated attackers with shop manager-level access or higher to append additional SQL queries to existing ones, potentially extracting sensitive information from the database (WPScan).

The vulnerability has been patched in version 3.7.6 of the plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).