CVE-2023-49825: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability was discovered in PenciDesign's Soledad WordPress theme, identified as CVE-2023-49825. The vulnerability affects versions up to and including 8.4.1 of the Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme. The issue was publicly disclosed on December 5, 2023, and was initially reported by security researcher Rafie Muhammad (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability, categorized under CWE-89. The issue stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. The vulnerability has received multiple CVSS ratings: an 8.1 HIGH score from NIST (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and an 8.5 HIGH score from Patchstack (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database. This could lead to unauthorized access to and manipulation of the database content (WPScan).

The vulnerability has been fixed in version 8.4.2 of the Soledad theme. Users are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).