CVE-2023-2719: 
WordPress vulnerability analysis and mitigation

The SupportCandy WordPress plugin before version 3.1.7 contains a SQL injection vulnerability identified as CVE-2023-2719. The vulnerability was discovered and publicly disclosed on May 22, 2023. The issue affects the plugin's REST API functionality where the 'id' parameter for an Agent is not properly sanitized and escaped before being used in SQL statements (WPScan).

The vulnerability is classified as an SQL Injection (SQLI) with a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue falls under the OWASP Top 10 category A1: Injection and is identified with CWE-89. A proof of concept exists showing that the vulnerability can be exploited by making a request to 'wp-json/supportcandy/v2/agents/234563?id=-1 OR 1%3D(SELECT IF(1%3D1,SLEEP(10),1))' which results in a 10-second delay, confirming the SQL injection (WPScan).

The vulnerability allows users with roles as low as Subscriber to perform SQL injection attacks against the affected WordPress installations. This could potentially lead to unauthorized access to sensitive database information, modification of database contents, and possible escalation of privileges (WPScan).

The vulnerability has been fixed in version 3.1.7 of the SupportCandy plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).