CVE-2024-6159

Name of the Vulnerable Software and Affected Versions: The Push Notification for Post and BuddyPress WordPress plugin versions prior to 1.9.4

Description: The issue arises from the plugin's failure to properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Recommendations: For versions prior to 1.9.4, update to version 1.9.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action to authenticated users only until a patch is applied.