CVE-2024-38795: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2024-38795) was discovered in CridioStudio's ListingPro WordPress plugin affecting versions up to 2.9.4. The vulnerability was discovered on March 31, 2024, and publicly disclosed on July 22, 2024. The issue was patched in version 2.9.5. This vulnerability allows unauthenticated users to perform SQL injection attacks against affected WordPress installations (Patchstack Database).

The vulnerability exists in the listingpro_save_stripe function, which is hooked to the wp_ajax_nopriv_listingpro_save_stripe action. The function fails to properly escape the $listing variable from user input before using it in SQL queries, allowing unauthenticated users to perform SQL injection attacks. The vulnerability received a CVSS v3.1 base score of 9.3 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) (Patchstack Article).

This SQL injection vulnerability could allow malicious actors to directly interact with the website's database, potentially leading to unauthorized access to sensitive information, data theft, and database manipulation (Patchstack Database).

The vulnerability has been patched in version 2.9.5 of the ListingPro plugin. The fix implements proper prepared statements and integer casting for affected variables to prevent SQL injection. Users are strongly advised to update to version 2.9.5 or later immediately (Patchstack Article).