MultiParcels Shipping For WooCommerce < 1.14.15 - Subscribers+ SQLi
CVE-2023-2843

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Multiparcels Shipping For WooCommerce
Vendor: CVE Published:; 7 August 2023

Summary

The MultiParcels Shipping for WooCommerce plugin for WordPress, prior to version 1.14.15, contains a vulnerability where user inputs are not adequately sanitized and escaped before being used in SQL statements. This oversight permits authenticated users, including those with subscriber roles, to execute SQL injection attacks. Such attacks could compromise the security of the database and lead to unauthorized data access or manipulation.

Affected Version(s)

MultiParcels Shipping For WooCommerce 0 < 1.14.15

References

https://wpscan.com/vulnerability/8e713eaf-f332-47e2-a131-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 7, 2023
Vulnerability Reserved
May 22, 2023

Credit

Dao Xuan Hieu

WPScan