CVE-2023-40010: 
WordPress vulnerability analysis and mitigation

A critical SQL Injection vulnerability (CVE-2023-40010) was discovered in the HUSKY – Products Filter for WooCommerce Professional WordPress plugin, affecting versions up to 1.3.4.2. The vulnerability was reported on August 15, 2023, by researcher Nguyen Anh Tien and publicly disclosed on November 27, 2023. This security flaw allows unauthenticated attackers to perform SQL injection attacks through insufficient escaping of user-supplied parameters (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It received a CVSS v3.1 base score of 9.8 (Critical) from NIST and 9.3 (Critical) from Patchstack. The issue stems from insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries, allowing attackers to append additional SQL queries to extract sensitive information from the database (NVD, Patchstack).

The vulnerability allows unauthenticated attackers to interact directly with the database, potentially leading to unauthorized access to sensitive information, data theft, and possible database manipulation. The critical severity rating indicates the potential for significant impact on affected systems (Patchstack).

Users are strongly advised to update to version 1.3.4.3 or later, which contains the fix for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).