CVE-2023-52131: 
WordPress vulnerability analysis and mitigation

The WordPress Page Generator plugin contains an SQL Injection vulnerability (CVE-2023-52131) discovered by Muhammad Daffa. The vulnerability affects all versions of Page Generator up to and including version 1.7.1, with a fix released in version 1.7.2. This security issue was publicly disclosed on December 28, 2023 (Patchstack, Wordfence).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It occurs due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. The vulnerability has received varying CVSS scores: a 7.2 (HIGH) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, and a 7.6 (HIGH) from Patchstack with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (NVD).

The vulnerability allows authenticated attackers with administrator access to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database. This could lead to unauthorized access to database contents and potential data breaches (WPScan).

Users are advised to update to Page Generator version 1.7.2 or later to remediate this vulnerability. This version contains the necessary fixes to address the SQL injection issue (Patchstack).