WP Brutal AI < 2.0.0 - SQL Injection via CSRF
CVE-2023-2601

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: WPbrutalai
Vendor: CVE Published:; 27 June 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The WP Brutal AI plugin for WordPress, prior to version 2.0.0, is susceptible to SQL injection due to improper sanitization and escaping of a parameter utilized in an SQL statement. This vulnerability can be exploited by an administrator via Cross-Site Request Forgery (CSRF), potentially allowing unauthorized access to the database and associated data manipulation. Operators of WordPress sites using this plugin should apply the latest updates to mitigate the risks associated with this vulnerability.

Affected Version(s)

wpbrutalai 0 < 2.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-2601 - Proof of Concept

References

https://wpscan.com/vulnerability/57769468-3802-4985-bf5e-...

exploitvdb-entrytechnical-description

http://packetstormsecurity.com/files/173732/WordPress-WP-...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jun 27, 2023
👾
Exploit known to exist
Jun 27, 2023
Vulnerability published
Jun 27, 2023
Vulnerability Reserved
May 9, 2023

Credit

Taurus Omar

WPScan