CVE-2023-2636: 
WordPress vulnerability analysis and mitigation

The AN_GradeBook WordPress plugin through version 5.0.1 contains a SQL injection vulnerability (CVE-2023-2636) that affects users with subscriber-level privileges or higher. The vulnerability stems from improper sanitization and escaping of parameters before their use in SQL statements (NVD, WPScan).

The vulnerability is classified as a CWE-89 (SQL Injection) with a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue occurs when the plugin fails to properly sanitize and escape parameters before using them in SQL statements. The vulnerability can be exploited through the WordPress admin-ajax.php endpoint using the 'course' action parameter (NVD, WPScan).

The vulnerability allows attackers with subscriber-level access or higher to perform SQL injection attacks against the affected WordPress installation. This could potentially lead to unauthorized access to sensitive database information, modification of database contents, and possible escalation of privileges (NVD).

Currently, there is no known fix available for this vulnerability in the AN_GradeBook WordPress plugin. Website administrators using this plugin should consider either removing it or implementing additional security controls to restrict access to the vulnerable functionality (WPScan).