CVE-2023-2221: 
WordPress vulnerability analysis and mitigation

The WP Custom Cursors WordPress plugin versions before 3.2 contains a SQL injection vulnerability identified as CVE-2023-2221. The vulnerability was discovered and publicly disclosed on May 24, 2023, affecting the wp-custom-cursors plugin. This security flaw stems from improper parameter sanitization and escaping in SQL statements (WPScan Advisory).

The vulnerability is classified as a SQL injection (SQLI) vulnerability with a CVSS 3.1 base score of 7.2 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The flaw is categorized under CWE-89 and is listed as A1: Injection in the OWASP Top 10. The technical nature of the vulnerability involves insufficient sanitization and escaping of parameters in SQL statements (NVD, WPScan Advisory).

The vulnerability allows attackers with administrative privileges to perform SQL injection attacks against the affected WordPress installations. This could potentially lead to unauthorized access to the database, data manipulation, and possible exposure of sensitive information (NVD).

The vulnerability has been patched in version 3.2 of the WP Custom Cursors plugin. Users are advised to update to this version or later to mitigate the risk (WPScan Advisory).