CVE-2022-3246: 
WordPress vulnerability analysis and mitigation

The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before version 6.9.10 contains a SQL injection vulnerability identified as CVE-2022-3246. The vulnerability was discovered and publicly disclosed on October 3, 2022. The issue affects the plugin's parameter handling where it fails to properly sanitize and escape input before using it in SQL statements, making it exploitable by any authenticated users, including those with subscriber-level access (WPScan Advisory).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 8.8 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue exists in the plugin's dashboard functionality, specifically in the handling of parameters in SQL statements. The vulnerability can be exploited through the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social) by authenticated users (NVD, WPScan Advisory).

The vulnerability allows authenticated attackers, even with minimal privileges such as subscriber access, to execute arbitrary SQL queries against the WordPress database. This can lead to unauthorized access to sensitive information, including the ability to extract all registered user emails from the database (WPScan Advisory).

The vulnerability has been fixed in version 6.9.10 of the Blog2Social plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan Advisory).