Security News > 2023 > January > PoC exploits released for critical bugs in popular WordPress plugins

PoC exploits released for critical bugs in popular WordPress plugins
2023-01-13 21:28

Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available.

The three vulnerable plugins were discovered by Tenable security researcher Joshua Martinelle, who reported them responsibly to WordPress on December 19, 2022, along with proofs of concept.

The authors of the plugins released security updates to address the issues in the following days or weeks, so all problems have been fixed now, and those running the latest available version are no longer vulnerable.

Finally, Tenable discovered CVE-2023-23490, a 'high-severity' SQL injection flaw in 'Survey Marker,' a WordPress plugin used by 3,000 websites for surveys and market research.

While all of these plugins were vulnerable to SQL injection, and proof of concept exploits were released, Tenable did not share what impact they could lead if exploited in attacks.

As the bugs are categorized as critical, it is recommended that all sites using these plugins upgrade to the latest version.


News URL

https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-critical-bugs-in-popular-wordpress-plugins/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-01-20 CVE-2023-23490 SQL Injection vulnerability in Ays-Pro Survey Maker
The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action.
network
low complexity
ays-pro CWE-89
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 93 44 18 157