CVE-2022-1014: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-1014 affects the WP Contacts Manager WordPress plugin through version 2.2.4. The vulnerability was discovered and publicly disclosed on May 2, 2022. This security flaw exists in the plugin's handling of user-supplied POST data, which fails to implement proper sanitization before being used in SQL statements (WPScan, MITRE CVE).

The vulnerability is classified as an SQL Injection (SQLI) vulnerability, falling under the OWASP Top 10 category A1: Injection and CWE-89. It has been assigned a critical CVSS score of 9.4, indicating its severe nature. The technical issue stems from inadequate sanitization of POST data that is subsequently interpolated into SQL statements. The vulnerability can be exploited through the WordPress admin-ajax.php endpoint with specific parameters (WPScan).

The SQL injection vulnerability allows attackers to execute arbitrary SQL queries against the WordPress database. This can potentially lead to unauthorized access to sensitive information, including user credentials, and could result in complete database compromise. The unauthenticated nature of the vulnerability makes it particularly severe as it can be exploited without requiring any prior authentication (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Users of the WP Contacts Manager plugin should consider disabling or removing the plugin until a security patch is released (WPScan).