CVE-2024-31233: 
WordPress vulnerability analysis and mitigation

The REHub WordPress theme contains a SQL Injection vulnerability (CVE-2024-31233) affecting versions up to and including 19.6.1. This vulnerability was discovered by security researcher Rafie Muhammad and was fixed in version 19.6.2. The issue affects the premium version of the REHub theme, which has over 35,000 sales and is widely used for price comparison and multi-vendor marketplace websites (Patchstack Article).

The vulnerability exists in the getproductstitlelist function where the $savedids variable is constructed from $POST['saved'] and used on the $newquery['order'] object without proper sanitization. The value is then constructed on the $final_query variable and executed as a SQL query. The vulnerability has been assigned a CVSS v3.1 base score of 8.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L (NVD, Patchstack Article).

This SQL Injection vulnerability allows authenticated attackers with subscriber-level access and above to append additional SQL queries into existing queries, potentially enabling them to extract sensitive information from the database (WPScan).

The vulnerability has been patched in version 19.6.2 of the REHub theme. The fix involves applying an integer cast to the $saved_ids variable using intval before constructing the SQL query. Users are strongly advised to update to version 19.6.2 or later immediately (Patchstack Article).

The security community has emphasized the critical nature of this vulnerability, particularly due to the theme's popularity with over 35,000 sales. Security researchers have urged immediate patching due to the potential for mass exploitation (Security Online).