CVE-2024-51715: 
WordPress vulnerability analysis and mitigation

The WordPress ClickWhale plugin versions 2.4.1 and below contain an SQL Injection vulnerability (CVE-2024-51715), which was discovered and reported by Trương Hữu Phúc on November 28, 2024. The vulnerability was publicly disclosed on January 6, 2025, affecting the ClickWhale Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin (WPScan, Patchstack).

The vulnerability is classified as an SQL Injection (CWE-89) with a CVSS score of 8.5, indicating a high severity level. The issue stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This vulnerability requires authenticated access with Contributor-level privileges or higher to exploit. The attack vector allows malicious actors to append additional SQL queries to existing ones, potentially leading to unauthorized data extraction from the database (WPScan).

The vulnerability could allow authenticated attackers to directly interact with the database, potentially leading to unauthorized access and theft of sensitive information. The impact is considered significant due to the high CVSS score, although it requires authenticated access to exploit (Patchstack).

The vulnerability has been patched in version 2.4.2 of the ClickWhale plugin. Website administrators are advised to update to version 2.4.2 or later to remediate this security issue (Patchstack).