CVE-2024-9838: 
WordPress vulnerability analysis and mitigation

The Auto Affiliate Links WordPress plugin before version 6.4.7 contains a SQL injection vulnerability identified as CVE-2024-9838. The vulnerability was publicly disclosed on September 18, 2024, and affects the plugin's import/export functionality, specifically impacting WordPress installations running vulnerable versions of the Auto Affiliate Links plugin (WPScan).

The vulnerability stems from improper input sanitization and escaping of parameters before their use in SQL statements. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified as a SQL Injection (SQLI) type and falls under the OWASP Top 10 category A1: Injection (WPScan, NVD).

When exploited, this vulnerability allows authenticated administrators to perform SQL injection attacks against the affected WordPress installation. The impact is reflected in the CVSS scoring, indicating potential compromise of data confidentiality and integrity, though with limited scope (NVD).

The vulnerability has been patched in version 6.4.7 of the Auto Affiliate Links plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).