CVE-2023-2719 Information

Description

The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the id parameter for an Agent in the REST API before using it in an SQL statement leading to an SQL Injection exploitable by users with a role as low as Subscriber.

Reference

https://wpscan.com/vulnerability/d9f6f4e7-a237-49c0-aba0-2934ab019e35