CVE-2023-5041: 
WordPress vulnerability analysis and mitigation

The Track The Click WordPress plugin before version 0.3.12 contains a SQL injection vulnerability (CVE-2023-5041) that was discovered and publicly disclosed on September 26, 2023. The vulnerability affects the plugin's stats REST endpoint functionality and impacts WordPress installations running versions prior to 0.3.12 (WPScan).

The vulnerability stems from improper sanitization of query parameters in the stats REST endpoint before their use in database queries. This is classified as CWE-89 (SQL Injection) with a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically allows for time-based blind SQL injection attacks (NVD, WPScan).

The vulnerability allows authenticated users with author role or higher to perform time-based blind SQL injection attacks on the database, potentially leading to unauthorized access to sensitive database information, data manipulation, or data exfiltration (WPScan).

The vulnerability has been fixed in version 0.3.12 of the Track The Click plugin. Version 0.3.11 implemented partial fixes by restricting the API endpoint to administrators only, but did not address all SQL injection vectors. Users are advised to update to version 0.3.12 or later (WPScan).