CVE-2023-28662: 
WordPress vulnerability analysis and mitigation

The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, contains an unauthenticated SQL injection vulnerability identified as CVE-2023-28662. The vulnerability exists in the template parameter within the wpgv_doajax_voucher_pdf_save_func action. This security flaw was discovered and reported by Joshua Martinelle of Tenable Research (Tenable Research).

The vulnerability is classified with a Critical CVSS v3.1 Base Score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The security flaw stems from improper sanitization and escaping of the template parameter in the wpgv_doajax_voucher_pdf_save_func AJAX action, which allows for SQL injection attacks (NVD, WPScan).

The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on the affected WordPress installation's database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, and compromise of the WordPress site's integrity (Tenable Research).

Website administrators running the affected versions of the Gift Cards WordPress plugin should upgrade to version 4.3.3 or later, which contains the security fix for this vulnerability (WPScan).