CVE-2024-43917: 
WordPress vulnerability analysis and mitigation

The TI WooCommerce Wishlist plugin, with over 100,000 active installations, contains a critical SQL Injection vulnerability (CVE-2024-43917) discovered in version 2.8.2 and below. This unauthenticated SQL injection vulnerability allows attackers to execute arbitrary SQL queries in the WordPress site's database without requiring any privileges (Patchstack, SecurityOnline).

The vulnerability has been assigned a CVSS score of 9.3 (Critical) and is tracked as CVE-2024-43917. The flaw exists in multiple functions including get() and getwishlistsdata(), where user input is directly concatenated into SQL queries without proper sanitization. The vulnerability can be exploited through the REST API endpoint and WC Ajax hooks (WPScan, Patchstack).

The vulnerability allows attackers to execute arbitrary SQL queries in the database, potentially leading to unauthorized access to sensitive information, data breaches, site defacements, and complete site takeover. The critical nature of this flaw poses a significant risk to the over 100,000 websites using this plugin (SecurityOnline).

As of the latest reports, there is no patched version available. Security experts strongly recommend deactivating and deleting the plugin immediately to protect against potential attacks. Patchstack users are protected through virtual patching that mitigates this vulnerability (Patchstack).

The WordPress plugin review team has taken action by closing the plugin in response to this critical vulnerability. The security community has expressed significant concern about the widespread impact of this vulnerability, particularly given the large number of affected installations (SecurityOnline).