CVE-2024-13236

Name of the Vulnerable Software and Affected Versions Tainacan plugin for WordPress versions 0.21.12 and earlier

Description The issue arises from insufficient escaping on the user-supplied collection id parameter and a lack of sufficient preparation on the existing SQL query. This allows authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database.

Recommendations For versions 0.21.12 and earlier, update to a version later than 0.21.12 to resolve the issue. As a temporary workaround, consider restricting access to the collection id parameter to minimize the risk of exploitation.