CVE-2024-56290: 
WordPress vulnerability analysis and mitigation

CVE-2024-56290 is an SQL Injection vulnerability affecting the Multiple Shipping And Billing Address For Woocommerce WordPress plugin versions up to and including 1.2. The vulnerability was discovered by LVT-tholv2k and was publicly disclosed on January 3, 2025. This security flaw is classified as a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) vulnerability (Patchstack, WPScan).

The vulnerability stems from insufficient escaping of user-supplied parameters and lack of proper preparation in existing SQL queries within the plugin. The severity is rated as Critical with a CVSS score of 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L). The vulnerability requires no authentication to exploit, making it particularly dangerous (Patchstack).

This vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to unauthorized access to sensitive information stored in the database. The high CVSS score indicates that this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

Users are strongly advised to update to version 1.3 or later of the Multiple Shipping And Billing Address For Woocommerce plugin to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).