CVE-2023-47852: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability was discovered in the Link Whisper Free WordPress plugin, identified as CVE-2023-47852. The vulnerability affects versions up to and including 0.6.5 of the plugin. The issue was first reported on October 19, 2023, and publicly disclosed on November 20, 2023. This security flaw stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries (WPScan, Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received varying CVSS scores from different sources: NIST assigned a CVSS v3.1 base score of 7.2 (High), while Patchstack rated it at 8.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L. The vulnerability allows authenticated attackers with contributor-level access or higher to append additional SQL queries to existing ones (NVD, WPScan).

The vulnerability enables malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. The attack requires authentication at the contributor level or higher, which somewhat limits its potential impact (Patchstack).

The vulnerability has been patched in version 0.6.6 of the Link Whisper Free plugin. Users are advised to update to version 0.6.6 or later to remediate the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).