CVE-2024-9156: 
WordPress vulnerability analysis and mitigation

The TI WooCommerce Wishlist WordPress plugin through version 2.8.2 was identified with a SQL Injection vulnerability (CVE-2024-9156). The vulnerability was discovered on September 19, 2024, and affects over 100,000 active installations. This security issue stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries (WPScan Blog).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 base score of 7.5 (HIGH). The issue exists in the wishlist management functionalities where user-supplied parameters are insufficiently escaped. The vulnerability specifically involves the handling of language parameters, where attackers can manipulate the SQL query through the lang and lang_default parameters (NVD, WPScan Blog).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database. This creates a significant security risk for affected installations (NVD).

The vulnerability has been fixed in version 2.9.1 of the TI WooCommerce Wishlist plugin. Users are strongly advised to update to this version. For those unable to update immediately, implementing a Web Application Firewall (WAF) rule is recommended as a temporary mitigation measure (WPScan Blog).