CVE-2022-45808: 
WordPress vulnerability analysis and mitigation

SQL Injection vulnerability affects LearnPress – WordPress LMS Plugin versions 4.1.7.3.2 and below. The vulnerability was discovered in late 2022 and publicly disclosed on January 24, 2023. LearnPress is a comprehensive WordPress LMS Plugin with over 100,000 active installations, used for creating and selling courses online (Patchstack Advisory).

The vulnerability exists due to improper sanitization of the 'order by' parameter before its use in SQL statements. This vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST and 9.9 (CRITICAL) from Patchstack, indicating its severe nature. The issue is classified as CWE-89 (SQL Injection) and allows unauthenticated users to inject malicious SQL queries into the database (NVD, WPScan).

The SQL injection vulnerability allows unauthenticated attackers to directly interact with the database, potentially leading to unauthorized access to sensitive information, data manipulation, and possible complete database compromise (Patchstack Database).

The vulnerability was patched in LearnPress version 4.2.0. Users are strongly advised to update to this version or later immediately. The fix implements proper whitelist validation and sanitization on the vulnerable parameters. Patchstack users are protected through virtual patching that mitigates the vulnerability until the update is applied (Patchstack Advisory).