Cyber Resilience

CVE-2023-0037

CriticalPublic PoC

Published: 13 March 2023

Published
13 March 2023
Modified
27 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6173 98.4th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0037 is a critical-severity an unspecified weakness vulnerability in 10Web Map Builder For Google Maps. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The 10Web Map Builder for Google Maps WordPress plugin before version 1.0.73 contains a SQL injection vulnerability. The flaw stems from insufficient sanitization and escaping of parameters passed to an AJAX action that is reachable without authentication, allowing an attacker to inject arbitrary SQL statements into backend database queries.

Unauthenticated remote attackers can exploit the issue over the network with low complexity and no user interaction. Successful exploitation can yield full read, write, and delete access to the database, enabling data exfiltration, privilege escalation within WordPress, or complete site compromise, consistent with the CVSS 9.8 rating.

Public advisories published by WPScan and the IESE bulletin identify the vulnerable AJAX endpoint and recommend updating to version 1.0.73 or later to close the injection vector.

The EPSS score rose from an initially low value to a peak of 0.7483 with a current score of 0.6173, indicating that meaningful exploitation interest developed after public disclosure.

EU & UK References

Vulnerability details

The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

10web
map builder for google maps
≤ 1.0.73

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References