CVE-2023-48764: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2023-48764) was discovered in GuardGiant Brute Force Protection WordPress plugin, affecting versions up to 2.2.5. The vulnerability was reported by researcher Kévin Mosbahi (Mika) and was publicly disclosed on November 28, 2023. The issue stems from improper neutralization of special elements used in SQL commands within the plugin (Patchstack).

The vulnerability occurs due to improper sanitization and escaping of the orderby parameter before its use in SQL statements. This SQL injection vulnerability is exploitable by high-privilege users such as administrators. The vulnerability has received multiple CVSS ratings: NIST assigned a CVSS v3.1 base score of 7.2 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 7.6 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. The vulnerability is classified as CWE-89 (SQL Injection) (NVD, WPScan).

The SQL injection vulnerability could allow malicious actors with administrative privileges to directly interact with the database, potentially leading to unauthorized data access, manipulation, or theft of sensitive information (Patchstack).

The vulnerability has been fixed in version 2.2.6 of the GuardGiant Brute Force Protection plugin. Users are advised to update to version 2.2.6 or later to remediate the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).