CVE-2023-49752: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability was discovered in the Spoon themes Adifier - Classified Ads WordPress Theme, tracked as CVE-2023-49752. The vulnerability affects versions before 3.1.4 and was discovered by Vladislav Pokrovsky (ΞX.MI). The issue was publicly disclosed on December 4, 2023, and allows unauthenticated attackers to perform SQL injection attacks (Wordfence Intel, WPScan).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It received a Critical CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from NIST NVD, while Patchstack assigned a score of 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L). The vulnerability stems from insufficient escaping of user-supplied parameters and lack of proper preparation in existing SQL queries (NVD, Patchstack).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing ones, potentially leading to the extraction of sensitive information from the database. Due to its critical severity rating and unauthenticated nature, this vulnerability poses a significant risk to affected installations (WPScan, Patchstack).

The vulnerability has been patched in version 3.1.4 of the Adifier theme. Users are strongly advised to update to this version or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).