The ListingPro plugin by CridioStudio suffers from an SQL Injection vulnerability (CVE-2024-38795) due to improper neutralization of special elements in SQL commands. This flaw affects all versions up to 2.9.4 and allows remote attackers to execute arbitrary SQL code without authentication. The vulnerability has a CVSS 3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), reflecting its critical severity and potential for high confidentiality impact and low availability impact. No vendor advisory or patch information is currently available, and no known exploits in the wild have been reported.

Successful exploitation of this vulnerability can lead to unauthorized disclosure of sensitive information from the database and partial denial of service conditions. The vulnerability does not require user interaction or privileges, making it remotely exploitable over the network. The integrity of data is not directly impacted according to the CVSS vector, but confidentiality is highly compromised.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting access to the vulnerable plugin and monitor for updates from CridioStudio. Avoid exposing the affected plugin to untrusted networks. No vendor advisory or patch links are currently provided.