CVE-2022-47586: 
WordPress vulnerability analysis and mitigation

An unauthenticated SQL Injection (SQLi) vulnerability was discovered in the Themefic Ultimate Addons for Contact Form 7 WordPress plugin, affecting versions 3.1.23 and below. The vulnerability was initially reported on December 22, 2022, and was publicly disclosed on May 9, 2023 (Patchstack Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level. Patchstack assigned a slightly lower CVSS score of 8.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD Database).

This SQL Injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information, data manipulation, and possible database compromise. The vulnerability's critical severity rating indicates it could have severe consequences for affected systems (Patchstack Advisory).

The vulnerability has been patched in version 3.1.24 of the Ultimate Addons for Contact Form 7 plugin. Users are strongly advised to update to this version or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Advisory).