CVE-2023-0955: 
WordPress vulnerability analysis and mitigation

CVE-2023-0955 is a SQL injection vulnerability affecting the WP Statistics WordPress plugin versions below 14.0. The vulnerability was discovered and publicly disclosed on March 6, 2023. The issue affects the plugin's parameter handling functionality, which is accessible to authenticated users (WPScan).

The vulnerability stems from inadequate parameter escaping in the WP Statistics plugin. By default, the affected feature is accessible to users with manage_options capability (administrator level), though plugin settings allow this access to be granted to lower-privilege users. The vulnerability has been assigned a CVSS score of 7.7 (High) and is classified as a SQL Injection (SQLI) vulnerability, falling under the OWASP Top 10 category A1: Injection and CWE-89 (WPScan).

When exploited, this vulnerability could allow authenticated users to perform SQL injection attacks against the affected WordPress installation. The impact is particularly significant if the plugin's settings have been configured to grant access to lower-privilege users (WPScan).

The vulnerability has been fixed in WP Statistics version 14.0. Users are advised to update to this version or later to mitigate the risk (WPScan, Trustwave).