CVE-2023-28748: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2023-28748) was discovered in the WordPress Copy or Move Comments plugin, affecting versions up to and including 5.0.4. The vulnerability was reported by researcher minhtuanact on March 23, 2023, and was publicly disclosed on October 3, 2023 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level. The vulnerability can be exploited by users with Subscriber-level privileges or higher (Patchstack).

This vulnerability is considered highly dangerous and expected to become mass exploited. It could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information, data manipulation, and possible complete database compromise (Patchstack).

As of the disclosure, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement immediate mitigation measures or consider using Patchstack's protection (Patchstack).