CVE-2024-51579: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2024-51579) was discovered in the WordPress 5 Stars Rating Funnel plugin, affecting versions up to and including 1.4.01. The vulnerability was reported by Trương Hữu Phúc on August 23, 2024, and was publicly disclosed on October 31, 2024. This security issue affects the Saleswonder.Biz 5 Stars Rating Funnel plugin for WordPress (Patchstack, WPScan).

The vulnerability stems from insufficient escaping of user-supplied parameters and lack of proper preparation in existing SQL queries. The issue has been assigned CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability has received a CVSS v3.1 base score of 8.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the affected plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (Patchstack).