Security News > 2023 > January > PoC exploits released for critical bugs in popular WordPress plugins
Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available.
The three vulnerable plugins were discovered by Tenable security researcher Joshua Martinelle, who reported them responsibly to WordPress on December 19, 2022, along with proofs of concept.
The authors of the plugins released security updates to address the issues in the following days or weeks, so all problems have been fixed now, and those running the latest available version are no longer vulnerable.
Finally, Tenable discovered CVE-2023-23490, a 'high-severity' SQL injection flaw in 'Survey Marker,' a WordPress plugin used by 3,000 websites for surveys and market research.
While all of these plugins were vulnerable to SQL injection, and proof of concept exploits were released, Tenable did not share what impact they could lead if exploited in attacks.
As the bugs are categorized as critical, it is recommended that all sites using these plugins upgrade to the latest version.
News URL
Related news
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Exploit code for critical GitLab auth bypass flaw released (CVE-2024-45409) (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-20 | CVE-2023-23490 | SQL Injection vulnerability in Ays-Pro Survey Maker The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action. | 8.8 |