CVE-2023-2843: 
WordPress vulnerability analysis and mitigation

The MultiParcels Shipping For WooCommerce WordPress plugin before version 1.14.15 contains a SQL injection vulnerability (CVE-2023-2843) that was discovered on July 17, 2023. The vulnerability affects the plugin's handling of parameters in SQL statements, potentially exposing WordPress installations to unauthorized data access and manipulation (WPScan Advisory).

The vulnerability stems from improper sanitization and escaping of parameters before their use in SQL statements. The issue has a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. While the issue was initially fixed in version 1.14.13, a more comprehensive patch was implemented in version 1.14.15 following security recommendations (NVD, WPScan Advisory).

The vulnerability allows any authenticated users, including those with subscriber-level access, to perform SQL injection attacks. This could potentially lead to unauthorized access to sensitive database information, data manipulation, and possible compromise of the WordPress installation (WPScan Advisory).

Users are strongly advised to update their MultiParcels Shipping For WooCommerce plugin to version 1.14.15 or later, which contains the complete security fix for this vulnerability (WPScan Advisory).