CVE-2022-4290: 
WordPress vulnerability analysis and mitigation

The Cyr to Lat WordPress plugin contains an authenticated SQL Injection vulnerability (CVE-2022-4290) in versions up to 3.5. The vulnerability was discovered in the 'ctlsanitizetitle' function and was publicly disclosed on April 13, 2023. The issue affects users with editor or higher privileges who have the ability to add or modify terms or tags (WPScan).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the 'ctlsanitizetitle' function. This allows authenticated users to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database. A partial fix was implemented in version 3.6, with a complete patch released in version 3.7 (WPScan, NVD).

When exploited, this vulnerability could allow authenticated users with appropriate privileges to extract sensitive information from the WordPress database through SQL injection attacks. The severity of this issue is rated as medium with a CVSS score of 6.8 (WPScan).

Users are strongly advised to update their Cyr to Lat plugin to version 3.7 or later, which contains the complete fix for this vulnerability. If immediate updating is not possible, consider restricting access to term and tag management features to trusted administrators only (WPScan).