CVE-2023-48738: 
WordPress vulnerability analysis and mitigation

The Porto Theme - Functionality plugin for WordPress contains a critical SQL Injection vulnerability (CVE-2023-48738) affecting versions prior to 2.12.1. This premium plugin, which is a required component for the Porto theme with over 95,000 active installations, allows unauthenticated attackers to perform SQL injection attacks when the Critical CSS feature is enabled (Patchstack Article, Security Online).

The vulnerability exists in the bulk_delete_critical function, which handles the deletion of critical CSS. The function can be called through the table_actions function without proper permission and nonce validation. The vulnerability stems from insufficient escaping of the $page_ids variable and inadequate SQL query preparation. The severity is rated as Critical with a CVSS score of 9.3-9.8 (NVD, Patchstack Article).

This vulnerability allows unauthenticated attackers to perform SQL injection attacks, potentially leading to unauthorized access to sensitive database information. The high CVSS score indicates the severe nature of this vulnerability, which could result in data theft and database compromise (Security Online).

Users are strongly advised to update to Porto Theme - Functionality plugin version 2.12.1 or later, which includes patches implementing permission and nonce validation on the table_actions function and proper type casting for the $page_ids variable (Patchstack Article).