CVE-2023-5437: 
WordPress vulnerability analysis and mitigation

The WP fade in text news plugin for WordPress (versions up to and including 12.0) contains a SQL Injection vulnerability (CVE-2023-5437) discovered in October 2023. The vulnerability exists in the plugin's shortcode functionality due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries (NVD).

The vulnerability stems from insufficient escaping on user-supplied parameters and lack of proper preparation in existing SQL queries within the plugin's shortcode functionality. The CVSS v3.1 base score is 6.5 (MEDIUM) according to NVD assessment (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), while Wordfence assessed it at 8.8 (HIGH) (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to append additional SQL queries to existing queries. This capability can be exploited to extract sensitive information from the database (NVD).

Users should update to version 12.1 or later of the WP fade in text news plugin, which contains the security fix for this vulnerability (NVD).