CVE-2023-0900
Published: 05 June 2023
Summary
CVE-2023-0900 is a high-severity an unspecified weakness vulnerability in Wpdevart Pricing Table Builder. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Pricing Table Builder WordPress plugin through version 1.1.6 contains a SQL injection vulnerability caused by insufficient sanitization and escaping of a parameter before it is used in a SQL statement. The flaw affects any site running the plugin and carries a CVSS 3.1 score of 7.2, reflecting network-accessible exploitation with high impact on confidentiality, integrity, and availability.
An authenticated administrator or other high-privilege user can supply a crafted input that alters the generated SQL query, allowing arbitrary data extraction or modification within the WordPress database. Because the attack requires administrative credentials and no user interaction, it is primarily a post-compromise or insider-threat vector rather than a remote unauthenticated issue.
Public references published by WPScan document the vulnerability and provide technical details for detection and verification. No official patch information is supplied in the available references, so site owners should verify the current plugin version and apply updates from the vendor when released.
EPSS scores have remained low and stable near 0.06 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12889
Vulnerability details
The Pricing Table Builder WordPress plugin through 1.1.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.