CVE-2024-10687: 
WordPress vulnerability analysis and mitigation

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress contains a time-based SQL Injection vulnerability identified as CVE-2024-10687. The vulnerability affects all versions up to and including 24.0.3, and was disclosed on November 5, 2024 (NVD).

The vulnerability exists due to insufficient escaping of the $collectedIds parameter and lack of proper preparation in existing SQL queries. This SQL injection vulnerability is classified as time-based and has received a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The weakness is categorized as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially enabling them to extract sensitive information from the database. Given the CRITICAL severity rating and the ability to execute without authentication, this poses a significant security risk to affected installations (NVD).

Users should upgrade to version 24.0.4 or later of the Contest Gallery plugin, which contains fixes for this vulnerability (WordPress Plugin).