CVE-2024-25928: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2024-25928) was discovered in Sitepact's Contact Form 7 Extension for Klaviyo WordPress plugin versions up to 1.0.5. The vulnerability was disclosed on February 15, 2024, and affects the plugin's handling of user-supplied parameters (Patchstack).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. This SQL injection vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned it a CVSS score of 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database (WPScan).

The vulnerability has been fixed in version 3.0.0 of the plugin. Users are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).