CVE-2023-49750: 
WordPress vulnerability analysis and mitigation

The CVE-2023-49750 is a SQL Injection vulnerability discovered in the Spoonthemes Couponis - Affiliate & Submitting Coupons WordPress Theme. The vulnerability was publicly disclosed on December 4, 2023, and affects all versions of the theme before version 2.2. This security flaw is characterized as an Improper Neutralization of Special Elements used in an SQL Command vulnerability (NVD, WPScan).

The vulnerability is classified as CWE-89 (SQL Injection) and has received a Critical CVSS v3.1 base score of 9.8 from NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and 9.3 from Patchstack (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L). The issue stems from insufficient escaping of user-supplied parameters and lack of proper preparation in existing SQL queries (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database. The high CVSS score indicates the critical nature of this vulnerability, with potential for complete compromise of system confidentiality, integrity, and availability (Patchstack).

The vulnerability has been fixed in version 2.2 of the theme. Users are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).

The vulnerability was initially discovered and reported by security researcher Vladislav Pokrovsky (ΞX.MI) on August 21, 2023. The issue was subsequently analyzed and verified by multiple security organizations, including Patchstack and Wordfence, highlighting its significance in the WordPress security community (WPScan).