CVE-2023-50843: 
WordPress vulnerability analysis and mitigation

The Clockwork SMS Notfications WordPress plugin contains an SQL Injection vulnerability (CVE-2023-50843) discovered in December 2023. This vulnerability affects all versions up to and including 3.0.4 of the plugin. The issue stems from insufficient escaping of user-supplied parameters and lack of proper preparation in SQL queries (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') issue. It has received a CVSS v3.1 base score of 7.2 (High) from NVD and 7.6 (High) from Patchstack, with different vector strings: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H and CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L respectively. The vulnerability is tracked under CWE-89 (NVD).

The vulnerability allows authenticated attackers with administrator access to append additional SQL queries into existing queries. This can be exploited to extract sensitive information from the database. The high CVSS scores indicate significant potential impact on the confidentiality, integrity, and availability of the affected system (WPScan).

As of the latest reports, there is no official fix available for this vulnerability. The issue affects versions up to and including 3.0.4 of the Clockwork SMS Notfications plugin (NVD).