CVE-2023-6035: 
WordPress vulnerability analysis and mitigation

The EazyDocs WordPress plugin before version 2.3.4 contains a SQL injection vulnerability identified as CVE-2023-6035. The vulnerability was discovered and publicly disclosed on November 20, 2023. The issue affects the plugin's handling of the 'data' parameter in AJAX actions, where improper sanitization and escaping could allow authenticated users, including those with subscriber-level access, to perform SQL injection attacks (WPScan Advisory).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 8.8 (HIGH), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue specifically occurs in the AJAX action handling where the 'data' parameter is used in SQL statements without proper sanitization. This vulnerability can be exploited through the WordPress admin-ajax.php endpoint (NVD Database).

If exploited, this vulnerability allows authenticated attackers to perform SQL injection attacks against the affected WordPress installation. Given the CVSS score of 8.8, the potential impact includes unauthorized access to or modification of database contents, which could lead to data theft, data manipulation, or potential website compromise (WPScan Advisory).

The vulnerability has been patched in EazyDocs version 2.3.4. Users are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (WPScan Advisory).