CVE-2024-2387: 
WordPress vulnerability analysis and mitigation

The Advanced Form Integration plugin for WordPress (versions up to 1.82.0) contains a SQL Injection vulnerability identified as CVE-2024-2387. The vulnerability exists in the 'integration_id' parameter due to insufficient escaping and preparation of SQL queries. This vulnerability was discovered and reported by Wordfence, with the initial disclosure made on March 19, 2024 (Wordfence Report).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper handling of the 'integration_id' parameter in the plugin's SQL queries, which allows for SQL injection attacks. The vulnerability exists in the plugin's log table functionality, specifically in the class-adfoin-log-table.php file (WordPress Plugin Source).

If exploited, this vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries and potentially inject arbitrary web scripts into pages that execute. The impact is particularly concerning as it can lead to data manipulation and potential execution of malicious scripts if users can be tricked into performing specific actions (Wordfence Report).

Users should immediately update the Advanced Form Integration plugin to a version newer than 1.82.0, as this vulnerability has been addressed in subsequent releases. If immediate updating is not possible, consider disabling the plugin until an update can be applied (Wordfence Report).