CVE-2024-5975 – CZ Loan Management <= 1.1 - Unauthenticated SQLi

https://notcve.org/view.php?id=CVE-2024-5975

09 Jul 2024 — The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection The CZ Loan Management plugin for WordPress is vulnerable to SQL Injection via the 'selectedperiod' parameter of the 'cz_plugin_for_user_get_percentage' AJAX action in all versions up to, and including, 1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient pre... • https://wpscan.com/vulnerability/68f81943-b007-49c8-be9c-d0405b2ba4cf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •