7.2

CVE-2023-2744

Exploit

WP ERP < 1.12.4 - Admin+ SQL Injection

WP ERP <= 1.12.3 - Authenticated (Administrator+) SQL Injection via 'type'

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
Mögliche Gegenmaßnahme
ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support: Update to version 1.12.4, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WedevsWp Erp SwPlatformwordpress Version < 1.12.4
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support
Version [*, 1.12.4)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.61% 0.834
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://packetstormsecurity.com/files/175106/WordPress-WP-ERP-1.12.2-SQL-Injection.html
Third Party Advisory
Exploit
VDB Entry
https://wpscan.com/vulnerability/435da8a1-9955-46d7-a508-b5738259e731
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/1e0c77a6-08fd-4d54-8ecd-6e5fe0e03e14
Third Party Advisory