CVE-2023-23489: 
WordPress vulnerability analysis and mitigation

The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edddownloadsearch' action. The vulnerability was discovered and reported in January 2023, with a fix released in version 3.1.0.4 (Tenable Advisory).

The vulnerability exists in the 'eddajaxdownload_search()' function of the './includes/ajax-functions.php' file, where the 's' parameter is not properly sanitized before being used in SQL statements. The vulnerability has been assigned a CVSSv3 Base Score of 9.8 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD, Tenable Advisory).

As an unauthenticated SQL injection vulnerability, successful exploitation could allow attackers to access, modify, or delete database contents without requiring any authentication. The high CVSS score reflects the potential for complete compromise of confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been patched in Easy Digital Downloads version 3.1.0.4. Users are strongly advised to upgrade to this version or later to protect against potential exploitation (Tenable Advisory).