CVE-2022-1013: 
WordPress vulnerability analysis and mitigation

The Personal Dictionary WordPress plugin before version 1.3.4 contains a blind SQL injection vulnerability (CVE-2022-1013). The vulnerability was discovered and publicly disclosed on April 18, 2022. The issue affects the plugin's handling of user-supplied POST data, which is not properly sanitized before being used in SQL statements (WPScan Advisory).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 9.8 (CRITICAL). The issue stems from improper neutralization of special elements used in SQL commands. The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the plugin's AJAX functionality. The attack vector involves manipulating POST data sent to the admin-ajax.php endpoint (NVD Database, WPScan Advisory).

The vulnerability allows attackers to execute arbitrary SQL queries on the affected WordPress installation, potentially leading to unauthorized access to sensitive database information, modification of database contents, and possible full system compromise. The critical CVSS score of 9.8 indicates severe potential impact on confidentiality, integrity, and availability of the system (NVD Database).

The vulnerability has been fixed in version 1.3.4 of the Personal Dictionary WordPress plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan Advisory).