CVE-2023-5336: 
WordPress vulnerability analysis and mitigation

The iPanorama 360 – WordPress Virtual Tour Builder plugin for WordPress (versions up to 1.8.0) contains a SQL Injection vulnerability identified as CVE-2023-5336. The vulnerability was discovered due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the plugin's shortcode functionality (NVD).

The vulnerability is classified as CWE-89 (SQL Injection) with a CVSS v3.1 base score of 6.5 (MEDIUM) according to NVD, while Wordfence assessed it with a higher CVSS score of 8.8 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) (NVD).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to append additional SQL queries to existing queries. This capability can be exploited to extract sensitive information from the database (NVD).

Users should update to a version newer than 1.8.0 of the iPanorama 360 – WordPress Virtual Tour Builder plugin. The vulnerability has been patched in subsequent releases (NVD).