CVE-2023-2744: 
WordPress vulnerability analysis and mitigation

The ERP WordPress plugin before version 1.12.4 contains a SQL injection vulnerability (CVE-2023-2744). The vulnerability exists in the erp/v1/accounting/v1/people REST API endpoint, where the type parameter is not properly sanitized and escaped before being used in SQL statements. This security issue was discovered and disclosed in June 2023, affecting all versions of the WP ERP plugin prior to 1.12.4 (WPScan).

The vulnerability is classified as a SQL injection (CWE-89) with a CVSS v3.1 base score of 7.2 (HIGH). The attack vector requires high privileges, such as administrator access, to exploit. The vulnerability allows for SQL injection through the manipulation of the type parameter in the REST API endpoint erp/v1/accounting/v1/people. This can be demonstrated by executing specific API requests that cause time delays through SQL injection payloads (WPScan, NVD).

If exploited, this vulnerability could allow authenticated administrators to perform SQL injection attacks, potentially leading to unauthorized access to data, modification of database contents, and compromise of the WordPress installation's integrity. The vulnerability has received a high severity rating due to its potential impact on confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been patched in version 1.12.4 of the WP ERP plugin. Users are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (WPScan).