CVE-2024-6926: 
WordPress vulnerability analysis and mitigation

The Viral Signup WordPress plugin through version 2.1 contains an SQL injection vulnerability (CVE-2024-6926) that affects unauthenticated users. The vulnerability stems from improper sanitization and escaping of parameters in SQL statements that are accessible through AJAX actions (NVD, WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability can be exploited through an unauthenticated AJAX action 'wow_signup_send_free' where an unsanitized parameter is directly used in SQL queries (NVD, WPScan).

Due to the critical nature of SQL injection vulnerabilities and the lack of authentication requirements, this vulnerability could allow attackers to read, modify, or delete database contents, potentially leading to full site compromise. The high CVSS score indicates severe potential impacts on confidentiality, integrity, and availability of the affected system (NVD).

Currently, there is no known fix available for this vulnerability. Users of the Viral Signup WordPress plugin should consider disabling the plugin until a security update is released (WPScan).