CVE-2023-50848: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability was discovered in the WordPress 404 Solution plugin, identified as CVE-2023-50848. The vulnerability affects versions up to 2.34.0 of the plugin and was discovered by Muhammad Daffa. The issue was publicly disclosed on December 21, 2023, and involves improper neutralization of special elements used in SQL commands in the Aaron J 404 Solution plugin (Patchstack).

The vulnerability stems from improper sanitization and escaping of the orderby parameter before its use in SQL statements. It has been assigned CWE-89 (SQL Injection) classification. The vulnerability received a CVSS v3.1 base score of 7.2 (HIGH) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack assessed it with a score of 7.6 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (NVD).

The SQL injection vulnerability could allow malicious actors with high privileges (such as administrators) to directly interact with the database, potentially leading to unauthorized data access, modification, or extraction of sensitive information (WPScan).

The vulnerability has been patched in version 2.35.0 of the 404 Solution plugin. Users are advised to update to this version or later to remediate the security issue. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).