CVE-2023-0037
Published: 13 March 2023
Summary
CVE-2023-0037 is a critical-severity an unspecified weakness vulnerability in 10Web Map Builder For Google Maps. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The 10Web Map Builder for Google Maps WordPress plugin before version 1.0.73 contains a SQL injection vulnerability. The flaw stems from insufficient sanitization and escaping of parameters passed to an AJAX action that is reachable without authentication, allowing an attacker to inject arbitrary SQL statements into backend database queries.
Unauthenticated remote attackers can exploit the issue over the network with low complexity and no user interaction. Successful exploitation can yield full read, write, and delete access to the database, enabling data exfiltration, privilege escalation within WordPress, or complete site compromise, consistent with the CVSS 9.8 rating.
Public advisories published by WPScan and the IESE bulletin identify the vulnerable AJAX endpoint and recommend updating to version 1.0.73 or later to close the injection vector.
The EPSS score rose from an initially low value to a peak of 0.7483 with a current score of 0.6173, indicating that meaningful exploitation interest developed after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12142
Vulnerability details
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.