CVE-2023-1408
Published: 08 May 2023
Summary
CVE-2023-1408 is a high-severity an unspecified weakness vulnerability in Video List Manager Project Video List Manager. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Video List Manager WordPress plugin through version 1.7 contains a SQL injection vulnerability caused by insufficient sanitization and escaping of a parameter before it is used in a SQL statement. The affected component is this plugin running on WordPress sites, and the issue received a CVSS 3.1 score of 7.2 reflecting network-accessible exploitation with high impact on confidentiality, integrity, and availability.
High-privilege users such as administrators can exploit the flaw to perform SQL injection attacks against the underlying database. Successful exploitation allows an attacker with admin access to read, modify, or delete data and potentially escalate control over the WordPress installation.
The EPSS score for this CVE reached a peak of 0.2051 after disclosure before settling at a current value of 0.1088, indicating a material rise in predicted exploitation likelihood that warrants renewed attention from defenders. The issue is tracked in public advisories at WPScan.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23663
Vulnerability details
The Video List Manager WordPress plugin through 1.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.