CVE-2024-39658: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability was discovered in the Salon Booking System WordPress plugin, affecting versions up to 10.7. The vulnerability was identified and disclosed on August 1, 2024, and tracked as CVE-2024-39658. This security issue allows authenticated users with administrator privileges to perform SQL injection attacks against the affected WordPress installations (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) with a CVSS v3.1 base score of 7.2 (HIGH) according to NIST, and 7.6 (HIGH) according to Patchstack. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability is network-accessible, requires high privileges, but no user interaction (NVD).

The vulnerability could allow a malicious actor with administrator access to directly interact with the database, potentially leading to unauthorized data access and manipulation. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (Patchstack).

The vulnerability has been fixed in version 10.8 of the Salon Booking System plugin. Users are advised to update to version 10.8 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).