CVE-2023-35915: 
WordPress vulnerability analysis and mitigation

CVE-2023-35915 is a SQL Injection vulnerability discovered in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo, affecting versions up to 5.9.0. The vulnerability was reported on June 20, 2023, by security researcher Rafie Muhammad (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) issue. It received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned it a score of 7.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (NVD).

The vulnerability could allow a malicious actor to directly interact with the database, potentially leading to unauthorized access to sensitive information. The attack requires Shop Manager or higher privileges to exploit (Patchstack).

The vulnerability has been patched in version 5.9.1 of the WooPayments plugin. Users are advised to update to version 5.9.1 or later to remediate this security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).