CVE-2024-13608: 
WordPress vulnerability analysis and mitigation

The Track Logins WordPress plugin through version 1.0 contains a SQL injection vulnerability identified as CVE-2024-13608. The vulnerability was discovered by Francisco Alisson and publicly disclosed on January 27, 2025. This security issue affects the WordPress plugin's parameter handling in the admin interface (WPScan, CVE).

The vulnerability stems from improper sanitization and escaping of a parameter before its use in SQL statements within the plugin. The CVSS score for this vulnerability is 4.9 (medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as a SQL Injection (SQLI) issue and maps to OWASP Top 10 category A1: Injection and CWE-89 (WPScan, Wordfence).

When exploited, this vulnerability allows administrators to perform SQL injection attacks against the WordPress database. The potential impact is primarily focused on data confidentiality, as indicated by the CVSS metrics showing high confidentiality impact but no impact on integrity or availability (WPScan).

Currently, there is no known fix available for this vulnerability in the Track Logins WordPress plugin (WPScan).