CVE-2023-0234
Published: 06 February 2023
Summary
CVE-2023-0234 is a high-severity an unspecified weakness vulnerability in Siteground Siteground Security. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The SiteGround Security WordPress plugin before version 1.3.1 contains an authenticated SQL injection vulnerability caused by insufficient sanitization of user input prior to its use in SQL queries. The flaw affects any WordPress installation running the vulnerable plugin and carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low complexity, and low required privileges.
An authenticated attacker with low-privileged access can supply crafted input that alters the intended SQL query, enabling extraction or modification of database contents and potentially leading to full compromise of confidentiality, integrity, and availability on the affected site.
The provided references point to WPScan vulnerability entries and SiteGround’s responsible disclosure policy, which together indicate that the issue was addressed by releasing version 1.3.1; administrators should apply the update to eliminate the injection vector. The EPSS score rose from lower values after disclosure to a peak of 0.1620 on 2026-02-03 before receding to the current 0.0667, indicating a period of increased exploitation interest that later subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12318
Vulnerability details
The SiteGround Security WordPress plugin before 1.3.1 does not properly sanitize user input before using it in an SQL query, leading to an authenticated SQL injection issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.