CVE-2023-50856: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2023-50856) was discovered in FunnelKit Funnel Builder for WordPress plugin, affecting versions up to 2.14.3. The vulnerability was reported by Muhammad Daffa on October 23, 2023, and was publicly disclosed on December 21, 2023. This security issue affects the FunnelKit Funnel Builder plugin, which is used for customizing WooCommerce checkout pages and creating sales funnels (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). The issue stems from insufficient escaping of user-supplied parameters and lack of proper preparation in existing SQL queries. The vulnerability has received multiple CVSS scores: NIST assigned a CVSS v3.1 base score of 7.2 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 7.6 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (NVD, Patchstack).

The vulnerability allows authenticated attackers with administrator access to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database. This could lead to unauthorized access to database contents and potential data breaches (WPScan).

The vulnerability has been fixed in version 2.14.4 of the FunnelKit Funnel Builder plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).