CVE-2023-50853: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2023-50853) was discovered in the Nasirahmed Advanced Form Integration WordPress plugin, affecting versions up to and including 1.75.0. The vulnerability was reported on October 23, 2023, by Muhammad Daffa and publicly disclosed on December 21, 2023. This plugin is designed to connect WooCommerce and Contact Form 7 to Google Sheets and other platforms (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and has received varying CVSS scores. The NVD assigned a CVSS v3.1 base score of 7.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 7.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. The vulnerability requires administrator-level privileges to exploit (NVD).

The vulnerability could allow a malicious actor with administrator privileges to directly interact with the database, potentially leading to unauthorized data access and manipulation. The high CVSS scores indicate significant potential impact on the confidentiality, integrity, and availability of the affected system (Patchstack).

The vulnerability has been patched in version 1.76.0 of the Advanced Form Integration plugin. Users are advised to update to this version or later to remediate the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).