CVE-2022-4372: 
WordPress vulnerability analysis and mitigation

CVE-2022-4372 affects the Web Invoice WordPress plugin through version 2.1.3. The vulnerability was publicly disclosed on December 12, 2022, and involves an SQL injection vulnerability in the plugin's parameter handling. The issue affects installations of the Web Invoice plugin on WordPress sites, particularly impacting systems where the plugin is actively used for invoice management (WPScan Vuln).

The vulnerability stems from improper sanitization and escaping of parameters before their use in SQL statements. It has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89 (SQL Injection) and falls under the OWASP Top 10 category A1: Injection (NVD Database, WPScan Vuln).

The vulnerability allows authenticated users with appropriate privileges to perform SQL injection attacks. While it primarily affects administrators by default, the impact could extend to lower-privileged users such as subscribers depending on the plugin's configuration. Successful exploitation could lead to unauthorized database access, modification, or extraction of sensitive information (WPScan Vuln).

As of the latest reports, there is no known fix available for this vulnerability. Users of the Web Invoice WordPress plugin should consider implementing additional security measures or evaluating alternative solutions until a patch is released (WPScan Vuln).