CVE-2023-0261
Published: 13 February 2023
Summary
CVE-2023-0261 is a high-severity an unspecified weakness vulnerability in Ljapps Wp Tripadvisor Review Slider. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WP TripAdvisor Review Slider WordPress plugin before version 10.8 contains a SQL injection vulnerability. The plugin fails to properly sanitize and escape a parameter before incorporating it into a SQL statement, allowing direct manipulation of database queries. The issue carries a CVSS 3.1 score of 8.8 and affects any site running an unpatched instance of the plugin.
Authenticated users with the subscriber role or higher can exploit the flaw over the network without user interaction. Successful exploitation grants the attacker full read, write, and delete access to the database, enabling data exfiltration, modification of site content, or further lateral movement within the WordPress installation.
The referenced WPScan advisory identifies the vulnerable parameter and confirms that updating the plugin to version 10.8 or later resolves the injection vector. The EPSS score has reached a peak of 0.3671 with a current value of 0.3291, indicating sustained moderate exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12342
Vulnerability details
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.