CVE-2023-52135: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability was discovered in WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin, affecting versions up to 1.9.170. The vulnerability was identified on December 28, 2023, and was assigned CVE-2023-52135. This security flaw affects the WordPress plugin's handling of SQL queries, specifically impacting administrators and users with higher privileges (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It received a CVSS v3.1 base score of 7.2 (HIGH) according to NVD with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a score of 7.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. The issue stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries (NVD).

The vulnerability allows authenticated attackers with administrator access to append additional SQL queries to existing ones, potentially leading to the extraction of sensitive information from the database. This could result in unauthorized access to and manipulation of the database content (WPScan).

The vulnerability has been patched in version 1.9.171 of the WS Form LITE plugin. Users are advised to update to this version or later to remove the vulnerability. The issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).