CVE-2024-56247

CVE-2024-56247 is an SQL Injection vulnerability (CWE-89) in the WP Post Author plugin for WordPress, developed by AF themes. The flaw stems from improper neutralization of special elements used in an SQL command within the wp-post-author component. It affects all versions of the plugin up to and including 3.8.2. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality impact across scope.

Exploitation requires high privileges (PR:H), such as those held by an authenticated administrator, and can be performed remotely over the network with low attack complexity and no user interaction. A successful attack allows the adversary to extract sensitive data from the database (high confidentiality impact), with a changed scope enabling broader effects, though integrity impact is none and availability impact is low.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-post-author/vulnerability/wordpress-wp-post-author-plugin-3-8-2-sql-injection-vulnerability?_s_id=cve provides details on the vulnerability, including recommendations for mitigation through updating the WP Post Author plugin to a version beyond 3.8.2.