CVE-2024-48020: 
WordPress vulnerability analysis and mitigation

The Backup and Staging by WP Time Capsule WordPress plugin contains an SQL Injection vulnerability (CVE-2024-48020) discovered on October 8, 2024. The vulnerability affects versions up to and including 1.22.21 of the plugin. This security issue was identified by researcher Hakiduck and involves improper neutralization of special elements used in SQL commands (WPScan, Patchstack).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. The issue has been assigned a CVSS v3.1 base score of 8.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD).

The SQL injection vulnerability allows authenticated attackers with contributor-level access or higher to append additional SQL queries to existing ones. This capability can be exploited to extract sensitive information from the database (WPScan).

The vulnerability has been fixed in version 1.22.22 of the Backup and Staging by WP Time Capsule plugin. Users are advised to update to this version or later to remediate the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).