CVE-2023-1020: 
WordPress vulnerability analysis and mitigation

The Steveas WP Live Chat Shoutbox WordPress plugin through version 1.4.2 contains an unauthenticated SQL injection vulnerability. The vulnerability was discovered by Simone Onofri and Donato Onofri, and was publicly disclosed on April 3, 2023. The issue affects the wp-shoutbox-live-chat plugin and has been assigned CVE-2023-1020 (WPScan).

The vulnerability stems from the plugin's failure to properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action that is accessible to unauthenticated users. The vulnerability has been classified as SQL Injection (SQLI) under OWASP Top 10 category A1: Injection and CWE-89. It has been assigned a CVSS score of 8.6 (High), indicating its serious nature (WPScan).

This vulnerability allows unauthenticated attackers to perform SQL injection attacks against affected WordPress installations. Since the vulnerability is accessible through an AJAX action without authentication, it poses a significant risk to the security of the database and potentially the entire WordPress installation (WPScan).

As of the vulnerability disclosure, there is no known fix available for this vulnerability. Website administrators running the affected plugin versions should consider either removing the plugin or implementing additional security controls to protect against SQL injection attacks (WPScan).