CVE-2024-3561: 
WordPress vulnerability analysis and mitigation

The Custom Field Suite plugin for WordPress is vulnerable to SQL Injection via the 'Term' custom field in versions up to and including 2.6.7. The vulnerability was disclosed on June 19, 2024, and is tracked as CVE-2024-3561. The issue affects the plugin's term field functionality and impacts WordPress installations using this plugin (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the Term custom field functionality. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability allows authenticated attackers with contributor-level access or higher to append additional SQL queries to existing database queries (NVD).

When exploited, this vulnerability allows attackers to extract sensitive information from the database. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system. Attackers with contributor-level access can leverage this vulnerability to perform unauthorized database operations (NVD).

The plugin has been closed as of August 20, 2024, and is no longer available for download. The closure is permanent due to author request (WordPress Plugin). Users should consider migrating to alternative solutions for custom field management in WordPress.