CVE-2024-5793

Name of the Vulnerable Software and Affected Versions: The Houzez Theme - Functionality plugin for WordPress versions up to, and including, 3.2.2

Description: The issue is related to SQL Injection via the currency code parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers, with Custom-level (seller) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Recommendations: For versions up to, and including, 3.2.2, update to a version that fixes the SQL Injection vulnerability in the currency code parameter to prevent exploitation. As a temporary workaround, consider restricting access to the currency code parameter until a patch is available.