CVE-2022-1182: 
WordPress vulnerability analysis and mitigation

The Visual Slide Box Builder WordPress plugin through version 3.2.9 contains a SQL injection vulnerability identified as CVE-2022-1182. The vulnerability was discovered and publicly disclosed on April 19, 2022. This security flaw affects any WordPress installation using the Visual Slide Box Builder plugin version 3.2.9 or earlier, and is accessible to any authenticated user, including those with minimal privileges such as subscribers (WPScan).

The vulnerability stems from improper input validation where the plugin fails to sanitize and escape various parameters before using them in SQL statements via AJAX actions. The vulnerability has been assigned a CVSS score of 7.7 (High), indicating significant severity. A proof of concept exploit demonstrates that the vulnerability can be triggered through the wp-admin/admin-ajax.php endpoint using the vsbbgetone action with malformed SQL queries (WPScan).

The SQL injection vulnerability allows authenticated users, even those with minimal privileges such as subscribers, to execute arbitrary SQL commands against the WordPress database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, or compromise of the entire WordPress installation (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Website administrators running the affected plugin should consider either removing the plugin or implementing additional security controls to restrict access to the vulnerable AJAX endpoints (WPScan).