CVE-2024-8484

Name of the Vulnerable Software and Affected Versions: REST API TO MiniProgram plugin for WordPress versions up to, and including, 4.7.1

Description: The issue is related to SQL Injection via the order parameter of the "/wp-json/watch-life-net/v1/comment/getcomments" API endpoint. This is due to insufficient escaping on the user-supplied order parameter and lack of sufficient preparation on the existing SQL query, allowing unauthenticated attackers to append additional SQL queries to extract sensitive information from the database.

Recommendations: For versions up to, and including, 4.7.1, as a temporary workaround, consider restricting access to the "/wp-json/watch-life-net/v1/comment/getcomments" API endpoint to minimize the risk of exploitation. Avoid using the order parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.