CVE-2021-24492

Name of the Vulnerable Software and Affected Versions Handsome Testimonials & Reviews WordPress plugin versions prior to 2.1.1

Description The issue arises from the hndtst action instance callback AJAX call in the Handsome Testimonials & Reviews WordPress plugin, which is accessible to any authenticated users. It fails to sanitise, validate, or escape the hndtst previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.

Recommendations For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the hndtst action instance callback AJAX call to minimize the risk of exploitation. Avoid using the hndtst previewShortcodeInstanceId parameter in the affected AJAX endpoint until the issue is resolved.