MStore API plugin for WordPress up to version 4.0.1 contains an unauthenticated blind SQL injection caused by insufficient escaping of 'id' parameter in SQL queries, letting attackers execute arbitrary SQL commands without authentication, exploit requires sending crafted requests with malicious 'id' parameter. [已公开] id: CVE-2023-3197 info: name: WordPress MStore API <= 4.0.1 - Unauthenticated SQL Injection author: Shivam Kamboj severity: critical description: | MStore API plugin for WordPress up to version 4.0.1 contains an unauthenticated blind SQL injection caused by insufficient escaping of 'id' parameter in SQL queries, letting attackers execute arbitrary SQL commands without authentication, exploit requires sending crafted requests with malicious 'id' parameter. impact: | Attackers can extract sensitive database information, potentially leading to data breach and compromise of the website. remediation: | Update to the latest version of the plugin where the vulnerability is fixed. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-3197 - https://www.wordfence.com/threat-intel/vulnerabilities/id/30aab1af-a78f-4bac-b3c5-30ea854ccef7?source=cve metadata: verified: true max-req

未知