CVE-2024-11430

Name of the Vulnerable Software and Affected Versions SQL Chart Builder plugin for WordPress versions up to, and including, 2.3.6

Description The issue arises from insufficient escaping on the user-supplied arg1 parameter and lack of sufficient preparation on the existing SQL query in the gvn schart 2 shortcode. This allows authenticated attackers with Contributor-level access and above to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database.

Recommendations For versions up to, and including, 2.3.6, consider disabling the gvn schart 2 shortcode until a patch is available to prevent exploitation. Restrict access to the SQL Chart Builder plugin to minimize the risk of exploitation, especially for users with Contributor-level access and above. Avoid using the arg1 parameter in the gvn schart 2 shortcode until the issue is resolved.