CVE-2023-6981: 
WordPress vulnerability analysis and mitigation

The WP SMS plugin for WordPress (versions up to and including 6.5) contains a SQL Injection vulnerability identified as CVE-2023-6981. The vulnerability exists in the 'group_id' parameter due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. The issue was discovered and disclosed on January 3, 2024 (NVD).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 base score of 4.9 (Medium) according to NIST, and 6.1 (Medium) according to Wordfence. The vulnerability requires authenticated access with contributor-level privileges or higher. The technical issue stems from improper neutralization of special elements used in SQL commands, specifically in the handling of the 'group_id' parameter (NVD).

When exploited, this vulnerability allows authenticated attackers to append additional SQL queries to existing database queries. This can be used to extract sensitive information from the database and potentially achieve Reflected Cross-site Scripting attacks (NVD).

A patch has been released to address this vulnerability. Users should upgrade to version 6.5.1 or later of the WP SMS plugin. The fix includes improved parameter escaping and SQL query preparation as evidenced in the patch commit (GitHub Patch).