CVE-2024-2954

Name of the Vulnerable Software and Affected Versions Action Network plugin for WordPress version 1.4.3

Description The issue arises from insufficient escaping on the user-supplied bulk-action parameter and lack of sufficient preparation on the existing SQL query, allowing authenticated attackers with administrator-level access and above to append additional SQL queries into already existing queries. This can be used to extract sensitive information from the database.

Recommendations For version 1.4.3, consider disabling the bulk-action parameter until a patch is available to prevent potential SQL injection attacks. Restrict access to the database to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.