CVE-2023-5709: 
WordPress vulnerability analysis and mitigation

The WD WidgetTwitter plugin for WordPress contains a SQL Injection vulnerability (CVE-2023-5709) affecting versions up to and including 1.0.9. The vulnerability was discovered and disclosed on November 6, 2023, by István Márton from Wordfence (Wordfence Advisory).

The vulnerability exists due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the plugin's shortcode functionality. The CVSS v3.1 base score is 8.8 (High) according to Wordfence, while NIST assigns a score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (SQL Injection) (NVD Database).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to append additional SQL queries to existing queries. This can be leveraged to extract sensitive information from the WordPress database (NVD Database).

Users should immediately update to a version newer than 1.0.9 if available, or consider removing the plugin if it's not actively needed. The vulnerable code can be found in the plugin's source (WordPress Plugin).