CVE-2023-41685: 
WordPress vulnerability analysis and mitigation

The CVE-2023-41685 is a SQL Injection vulnerability discovered in the ilGhera Woocommerce Support System WordPress plugin. The vulnerability affects versions up to and including 1.2.1, and was publicly disclosed on September 4, 2023. The issue stems from improper neutralization of special elements used in SQL commands, specifically in the handling of the orderby parameter (Patchstack, WPScan).

The vulnerability is classified as CWE-89 (SQL Injection) and received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The security flaw exists due to insufficient sanitization and escaping of the orderby parameter before its use in SQL statements. This vulnerability is exploitable by users with high privileges such as administrators (NVD, WPScan).

The SQL injection vulnerability could allow malicious actors with administrative access to directly interact with the database, potentially leading to unauthorized data access, modification, or deletion of database contents (Patchstack).

The vulnerability has been fixed in version 1.2.2 of the Woocommerce Support System plugin. Users are advised to update to version 1.2.2 or later to remediate this security issue (Patchstack).