CVE-2023-5433: 
WordPress vulnerability analysis and mitigation

The Message ticker plugin for WordPress contains a SQL Injection vulnerability (CVE-2023-5433) in versions up to and including 9.2. The vulnerability was discovered in the plugin's shortcode functionality due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries (NVD).

The vulnerability exists due to insufficient escaping on user-supplied parameters and lack of proper preparation in existing SQL queries within the plugin's shortcode functionality. The CVSS v3.1 base score is 8.8 (HIGH) according to Wordfence's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The NVD assessment rates it at 6.5 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to append additional SQL queries to existing queries. This capability can be exploited to extract sensitive information from the database (NVD).

Users should upgrade to version 9.3 or later of the Message ticker plugin, which contains the fix for this vulnerability. The patch is available through the WordPress plugin repository (NVD).