CVE-2023-49764: 
WordPress vulnerability analysis and mitigation

The Advanced Database Cleaner WordPress plugin contains an SQL Injection vulnerability (CVE-2023-49764) discovered in versions up to and including 3.1.2. The vulnerability was reported on December 4, 2023, by security researcher Kévin Mosbahi (Mika). This security issue affects the plugin's handling of the 'orderby' parameter due to insufficient escaping of user-supplied input (Wordfence, Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It received a CVSS v3.1 base score of 7.2 (HIGH) according to NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack assessed it with a score of 7.6 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (NVD).

The vulnerability allows authenticated attackers with administrator-level access to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database (Wordfence).

The vulnerability has been fixed in version 3.1.3 of the Advanced Database Cleaner plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).