CVE-2023-50857: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2023-50857) was discovered in FunnelKit Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit affecting versions up to 2.6.1. The vulnerability was reported on December 21, 2023, and was assigned a CVSS v3.1 base score of 7.2 (HIGH) by NIST and 7.6 (HIGH) by Patchstack (Patchstack Advisory, NVD Database).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H from NIST and CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L from Patchstack, indicating a high-severity issue requiring administrator privileges to exploit (NVD Database).

The SQL injection vulnerability could allow a malicious actor with administrator privileges to directly interact with the database, potentially leading to unauthorized data access, modification, or theft of sensitive information (Patchstack Advisory).

The vulnerability has been patched in version 2.7.0 of the plugin. Users are advised to update to version 2.7.0 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack Advisory).