CVE-2024-54304: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2024-54304) was discovered in the Hive Support WordPress Help Desk plugin affecting versions through 1.1.2. The vulnerability was reported by researcher stealthcopter on October 8, 2024, and was publicly disclosed on December 11, 2024 (Patchstack).

The vulnerability is classified as an SQL Injection (CWE-89) that allows authenticated users with Subscriber or higher privileges to perform database queries. The issue received a CVSS v3.1 Base Score of 8.5 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L (Patchstack).

This vulnerability could allow malicious actors with authenticated access to directly interact with the database, potentially leading to unauthorized data access and information theft. The high CVSS score indicates this is a severe vulnerability expected to become mass exploited (Patchstack).

Users are advised to update to version 1.1.3 or later which contains fixes for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).