CVE-2022-3243: 
WordPress vulnerability analysis and mitigation

The Import all XML, CSV & TXT WordPress plugin (wp-ultimate-csv-importer) before version 6.5.8 contains a SQL injection vulnerability identified as CVE-2022-3243. The vulnerability was discovered and reported by Sanjay Das on September 20, 2022. This security issue affects WordPress installations with the plugin installed and is exploitable by users with high-level privileges such as administrators (WPScan).

The vulnerability stems from improper sanitization and escaping of imported data before using them in SQL statements. The issue has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-89 (SQL Injection) and falls under the OWASP Top 10 category A1: Injection (NVD, WPScan).

When successfully exploited, this vulnerability could allow high-privileged users to perform SQL injection attacks, potentially leading to unauthorized access to database contents, modification of database data, and possible compromise of the WordPress installation (WPScan).

Users should upgrade to version 6.5.8 or later of the Import all XML, CSV & TXT WordPress plugin, which contains the fix for this vulnerability (WPScan).