CVE-2024-50479: 
WordPress vulnerability analysis and mitigation

The Woocommerce Quote Calculator plugin for WordPress contains an SQL Injection vulnerability (CVE-2024-50479) that affects versions up to and including 1.1. The vulnerability was discovered by researcher LVT-tholv2k and was publicly disclosed on October 25, 2024. This security flaw stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the plugin (WPScan, Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It has received a Critical CVSS v3.1 base score of 9.8 from NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and 9.3 from Patchstack (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L). The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries (NVD).

This vulnerability enables unauthenticated attackers to extract sensitive information from the database through SQL injection techniques. The high CVSS scores indicate that this is a critical security issue that could lead to significant data breaches and system compromise (Patchstack).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures or consider using Patchstack's protection (Patchstack).