CVE-2024-49655: 
WordPress vulnerability analysis and mitigation

The ARPrice WordPress plugin contains an SQL Injection vulnerability (CVE-2024-49655) affecting versions up to and including 4.0.3. The vulnerability was discovered by researcher Bonds and was publicly disclosed on January 3, 2025. This security issue stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the plugin (WPScan, Patchstack).

The vulnerability is classified as an SQL Injection (CWE-89) that allows unauthenticated attackers to append additional SQL queries to existing ones. The severity of this vulnerability is rated as Critical with a CVSS v3.1 score of 9.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L). The issue is particularly concerning as it requires no authentication to exploit (NVD, Patchstack).

The vulnerability allows malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. Due to its unauthenticated nature and high severity score, this vulnerability is expected to become mass exploited (Patchstack).

Currently, there is no official fix available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures (Patchstack).