CVE-2024-39653: 
WordPress vulnerability analysis and mitigation

CVE-2024-39653 is a SQL Injection vulnerability discovered in E4J s.R.L. VikRentCar WordPress plugin versions up to 1.4.0. The vulnerability was initially reported on June 25, 2024, and publicly disclosed on August 1, 2024. This security flaw affects the WordPress VikRentCar Car Rental Management System plugin and allows for SQL Injection attacks (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') with a CVSS v3.1 base score of 9.8 (Critical) according to NIST, and 9.3 (Critical) according to Patchstack. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impact on confidentiality, integrity, and availability (NVD).

This SQL Injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized data access, data theft, and manipulation of database contents. The critical CVSS score indicates severe potential consequences if exploited (Patchstack).

The vulnerability has been fixed in version 1.4.1 of the VikRentCar plugin. Users are strongly advised to update to version 1.4.1 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack).