SQL Injection Vulnerability in Advanced Local Pickup for WooCommerce Plugin by WordPress
CVE-2023-2841

7.2HIGH

Key Information:

Vendor

Wordpress
Status
Advanced Local Pickup for WooCommerce
Vendor
CVE Published:
22 November 2023

What is CVE-2023-2841?

The Advanced Local Pickup for WooCommerce plugin for WordPress has a vulnerability that allows for time-based SQL Injection through the 'id' parameter in versions up to 1.5.5. This vulnerability arises from inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries. Authenticated attackers with admin-level access can exploit this weakness to inject additional SQL statements, potentially gaining access to sensitive database information.

Affected Version(s)

Advanced Local Pickup for WooCommerce * <= 1.5.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/advanced-local...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.
CVE-2023-2841 : SQL Injection Vulnerability in Advanced Local Pickup for WooCommerce Plugin by WordPress