CVE-2024-13713

Name of the Vulnerable Software and Affected Versions WPExperts Square For GiveWP plugin for WordPress versions up to, and including, 1.3.1

Description The issue allows authenticated attackers with Subscriber-level access and above to perform SQL Injection via the post parameter due to insufficient escaping and lack of preparation on the existing SQL query. This enables attackers to extract sensitive information from the database by appending additional SQL queries to existing ones.

Recommendations For WPExperts Square For GiveWP plugin for WordPress versions up to, and including, 1.3.1, consider restricting access to the post parameter in the affected API endpoint until a patch is available. As a temporary workaround, avoid using the post parameter in queries to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.