CVE-2021-24849

Name of the Vulnerable Software and Affected Versions: WCFM Marketplace WordPress plugin versions prior to 3.4.12

Description: The issue concerns the wcfm ajax controller AJAX action, which is accessible to both unauthenticated and authenticated users. It fails to properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.

Recommendations: For versions prior to 3.4.12, update to version 3.4.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the wcfm ajax controller AJAX action until a patch is available.