CVE-2022-44580: 
WordPress vulnerability analysis and mitigation

A SQL Injection (SQLi) vulnerability was discovered in the RichPlugins Plugin for Google Reviews WordPress plugin versions 2.2.3 and below. The vulnerability was assigned CVE-2022-44580 and was reported on November 17, 2022, by Rafie Muhammad. The issue was publicly disclosed on February 8, 2023, and was subsequently patched in version 2.2.4 (Patchstack).

The vulnerability stems from improper sanitization and escaping of the place_id parameter in the grw_overview_ajax AJAX action. This security flaw allows authenticated users, including those with subscriber-level access, to perform SQL injection attacks. The vulnerability has received a CVSS v3.1 base score of 9.1 (Critical) from Patchstack and 8.8 (High) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (WPScan, NVD).

The SQL injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information, data manipulation, and possible database compromise. The high CVSS score indicates that this vulnerability is considered highly dangerous and expected to become mass exploited (Patchstack).

Users are strongly advised to update the Plugin for Google Reviews to version 2.2.4 or later to resolve the vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).