CVE-2024-6027: 
WordPress vulnerability analysis and mitigation

The Themify – WooCommerce Product Filter plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2024-6027) affecting all versions up to and including 1.4.9. The vulnerability was discovered and disclosed on June 21, 2024, impacting over 30,000 WooCommerce-powered online stores (Security Online, NVD).

The vulnerability stems from insufficient escaping of the 'conditions' parameter and lack of proper preparation in existing SQL queries. This time-based SQL injection vulnerability allows unauthenticated attackers to append additional SQL queries to existing ones. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) from Wordfence and 7.5 (HIGH) from NVD, indicating its severe nature (NVD).

The vulnerability enables unauthenticated attackers to extract sensitive information from the database, potentially including customer names, addresses, and credit card details. With over 30,000 active installations affected, the scope of potential data exposure is significant (Security Online).

Site administrators are strongly advised to update the Themify – WooCommerce Product Filter plugin to version 1.5.0 or higher, which contains the security fix. This update was released on June 18, 2024, as documented in the changelog (Themify Changelog).