CVE-2023-2744

Name of the Vulnerable Software and Affected Versions ERP WordPress plugin versions prior to 1.12.4

Description The issue concerns a SQL injection problem. It occurs because the type parameter in the "erp/v1/accounting/v1/people" REST API endpoint is not properly sanitized and escaped before being used in a SQL statement. This can be exploited by high-privilege users, such as admins.

Recommendations For versions prior to 1.12.4, update to version 1.12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "erp/v1/accounting/v1/people" API endpoint until the update is applied.