CVE-2024-49617: 
WordPress vulnerability analysis and mitigation

The Back Link Tracker WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that allows Blind SQL Injection, identified as CVE-2024-49617. The vulnerability affects all versions up to and including 1.0.0, discovered and disclosed on October 18, 2024. The plugin, developed by Bhaskar Dhote, lacks proper nonce validation on certain functions (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation on an undisclosed function within the plugin. The CVSS v3.1 base score is rated as 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) according to NIST's assessment, while Patchstack rates it at 8.2 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to inject malicious SQL queries into the application when they can trick a site administrator into performing specific actions, such as clicking on a malicious link. However, the exploitation opportunities are limited due to the attackers' inability to obtain query responses (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to consider implementing additional security measures or removing the plugin if not essential (Patchstack).