SQL Injection Vulnerability in Advanced Local Pickup for WooCommerce Plugin by WordPress
CVE-2023-2841

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Advanced Local Pickup for WooCommerce
Vendor: CVE Published:; 22 November 2023

Summary

The Advanced Local Pickup for WooCommerce plugin for WordPress has a vulnerability that allows for time-based SQL Injection through the 'id' parameter in versions up to 1.5.5. This vulnerability arises from inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries. Authenticated attackers with admin-level access can exploit this weakness to inject additional SQL statements, potentially gaining access to sensitive database information.

Affected Version(s)

Advanced Local Pickup for WooCommerce * <= 1.5.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/advanced-local...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2023
Vulnerability Reserved
May 22, 2023

Credit

Marco Wotschka