CVE-2022-4059: 
WordPress vulnerability analysis and mitigation

The Cryptocurrency Widgets Pack WordPress plugin before version 2.0 contains a critical SQL injection vulnerability (CVE-2022-4059). The vulnerability was discovered and publicly disclosed on December 9, 2022. The issue affects all versions up to and including 1.8.1, where the plugin fails to properly sanitize and escape parameters in SQL statements that are accessible through AJAX actions to unauthenticated users (WPScan).

The vulnerability is classified as a SQL injection (CWE-89) with a CVSS v3.1 base score of 9.8 (CRITICAL), indicating the highest severity level. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high impact potential for confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

Due to the unauthenticated nature of the vulnerability and its critical severity rating, successful exploitation could allow attackers to execute arbitrary SQL commands on the underlying database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, or complete compromise of the WordPress installation (WPScan).

The vulnerability has been fixed in version 2.0 of the Cryptocurrency Widgets Pack plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan).