CVE-2024-22154: 
WordPress vulnerability analysis and mitigation

The SalesKing WordPress plugin contains an Unauthenticated Sensitive Information Exposure vulnerability (CVE-2024-22154) affecting versions up to and including 1.6.15. The vulnerability was discovered by Dave Jong and publicly disclosed on January 16, 2024. This security issue affects the SNP Digital SalesKing plugin for WordPress installations (Patchstack, WPScan).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 Base Score of 7.5 (HIGH). The attack vector is characterized as Network-based (AV:N) with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Unchanged (S:U) with High confidentiality impact (C:H) but No impact on integrity (I:N) or availability (A:N) (Patchstack).

The vulnerability allows unauthenticated attackers to extract sensitive user or configuration data from WordPress installations running the affected versions of the SalesKing plugin (WPScan).

Users are advised to update to SalesKing version 1.6.30 or later which contains fixes for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to a fixed version (Patchstack).