WP ERP < 1.12.4 - Admin+ SQL Injection
CVE-2023-2744
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 27 June 2023
Badges
What is CVE-2023-2744?
The ERP Plugin for WordPress prior to version 1.12.4 contains a vulnerability that allows the type
parameter in the erp/v1/accounting/v1/people
REST API endpoint to be manipulated. Due to inadequate sanitization and escaping of this parameter before it is utilized in a SQL statement, high privilege users, including administrators, can exploit this vulnerability to perform unauthorized SQL queries. This could lead to unauthorized data access or modification, making it crucial for users to update to the latest version.
Affected Version(s)
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting 0 < 1.12.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
25% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved