CVE-2021-25054: 
WordPress vulnerability analysis and mitigation

The WPcalc WordPress plugin through version 2.1 contains an authenticated SQL Injection vulnerability (CVE-2021-25054). The vulnerability was discovered in December 2021 and affects the plugin's handling of the 'did' parameter in SQL statements due to insufficient input sanitization (WPScan).

The vulnerability exists due to improper sanitization of user input in the 'did' parameter which is directly used in SQL statements. The vulnerability has been assigned a CVSS v3 base score of 8.8 (High) with attack vector being Network, attack complexity Low, and requiring Low privileges (AttackerKB). The vulnerability is classified as CWE-89 (SQL Injection) and falls under the OWASP Top 10 category A1: Injection (WPScan).

If exploited, this vulnerability could allow an authenticated attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized access to sensitive data, modification of database contents, and compromise of the WordPress installation's integrity (WPScan).

There is no known fix for this vulnerability as the plugin author has closed the plugin. The recommended mitigation is to uninstall the WPcalc plugin from WordPress installations (WPScan).