CVE-2024-10247

Name of the Vulnerable Software and Affected Versions The Video Gallery – Best WordPress YouTube Gallery Plugin versions up to, and including, 2.4.2

Description The issue is related to a time-based SQL Injection vulnerability via the orderby parameter. This vulnerability is caused by insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. As a result, authenticated attackers with Administrator-level access and above can append additional SQL queries into already existing queries to extract sensitive information from the database.

Recommendations For versions up to, and including, 2.4.2, update to a version higher than 2.4.2 to resolve the issue. As a temporary workaround, consider restricting access to the orderby parameter to minimize the risk of exploitation.