A high-severity SQL Injection vulnerability has been identified in the "External Login" plugin for WordPress. This flaw allows an unauthenticated attacker to manipulate the website's database, potentially leading to a complete compromise of sensitive information, including user data, passwords, and site content. Immediate patching is required to prevent data breaches and unauthorized access.

The "External Login" plugin fails to properly sanitize user-supplied input in the 'log' parameter before using it in a database query. An unauthenticated attacker can craft a malicious request containing specially formatted SQL commands within this parameter. Successful exploitation allows the attacker to execute arbitrary SQL queries on the WordPress database, enabling them to bypass authentication, exfiltrate sensitive data, modify or delete records, and potentially gain administrative control over the website.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit could have significant business consequences, including a major data breach of customer or user information, leading to reputational damage and loss of trust. The compromise of sensitive data could result in financial losses, operational disruption, and potential regulatory penalties under data protection laws like GDPR or CCPA. An attacker could also deface the website or use it to host malicious content, further damaging the organization's brand.

Immediate Action: Immediately update the "External Login" plugin to the latest version provided by the developer, which contains a patch for this vulnerability. If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate this attack vector.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for any requests containing suspicious SQL syntax in the 'log' parameter. Implement database activity monitoring to detect and alert on unusual query patterns, such as unexpected UNION, SELECT, or DROP commands originating from the web application user.

Compensating Controls: If patching cannot be performed immediately, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks. Ensure these rules are updated and in blocking mode. Restrict the permissions of the database user account associated with WordPress to the absolute minimum required for the application to function, following the principle of least privilege.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for complete database compromise, organizations are strongly advised to treat this vulnerability with high urgency. The primary recommendation is to apply the security update for the "External Login" plugin immediately. All instances of this plugin should be identified and patched across the environment. If the plugin's functionality is not critical, removing it is the most effective way to mitigate this risk permanently.