CVE-2024-4742

Name of the Vulnerable Software and Affected Versions The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress versions 1.2.5 and earlier

Description The issue allows authenticated attackers with Contributor-level access and above to perform SQL Injection via the order by shortcode attribute due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This enables attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database.

Recommendations For versions 1.2.5 and earlier, update to a version that addresses the SQL Injection issue, ensuring proper escaping and preparation of SQL queries to prevent exploitation. As a temporary workaround, consider restricting access to the order by shortcode attribute to minimize the risk of exploitation.