CVE-2024-2954: 
WordPress vulnerability analysis and mitigation

The Action Network plugin for WordPress version 1.4.3 contains an SQL Injection vulnerability (CVE-2024-2954) discovered in March 2024. The vulnerability exists in the 'bulk-action' parameter due to insufficient escaping of user-supplied input and inadequate SQL query preparation. This security flaw affects authenticated users with administrator-level access or higher (NVD).

The vulnerability stems from improper implementation of WordPress's escsql() function, which only escapes values used in strings but does not secure unquoted numeric values, field names, or SQL keywords. The vulnerability exists in the processbulk_action() function within the actionnetwork-action-list.class.php file. The CVSS v3.1 score is 7.2 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (STH Blog).

If exploited, attackers with administrator access can append additional SQL queries to existing ones, potentially extracting sensitive information from the database, including user credentials and other confidential data stored in the WordPress database (STH Blog).

As this is a recently discovered vulnerability, website administrators running the Action Network plugin version 1.4.3 should monitor for security updates and implement them as soon as they become available. In the meantime, limiting administrator access and monitoring database queries for suspicious activities is recommended (NVD).