CVE-2023-6567: 
WordPress vulnerability analysis and mitigation

The LearnPress WordPress plugin (CVE-2023-6567) contains a time-based SQL Injection vulnerability affecting all versions up to and including 4.2.5.7. The vulnerability was discovered in January 2024 and is related to insufficient escaping of the 'order_by' parameter in SQL queries (NVD NIST, WPScan Report).

The vulnerability stems from improper sanitization and escaping of the 'order_by' parameter before its use in SQL statements. This security flaw is classified as CWE-89 (SQL Injection) and has received varying CVSS scores: a 7.5 HIGH rating from NIST (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and a 9.8 CRITICAL rating from Wordfence (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD NIST).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database. The high severity ratings indicate significant potential for data compromise (NVD NIST).

The vulnerability has been fixed in version 4.2.5.8 of the LearnPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan Report).