Cyber Resilience

CVE-2023-1408

HighPublic PoC

Published: 08 May 2023

Published
08 May 2023
Modified
29 January 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1088 93.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1408 is a high-severity an unspecified weakness vulnerability in Video List Manager Project Video List Manager. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Video List Manager WordPress plugin through version 1.7 contains a SQL injection vulnerability caused by insufficient sanitization and escaping of a parameter before it is used in a SQL statement. The affected component is this plugin running on WordPress sites, and the issue received a CVSS 3.1 score of 7.2 reflecting network-accessible exploitation with high impact on confidentiality, integrity, and availability.

High-privilege users such as administrators can exploit the flaw to perform SQL injection attacks against the underlying database. Successful exploitation allows an attacker with admin access to read, modify, or delete data and potentially escalate control over the WordPress installation.

The EPSS score for this CVE reached a peak of 0.2051 after disclosure before settling at a current value of 0.1088, indicating a material rise in predicted exploitation likelihood that warrants renewed attention from defenders. The issue is tracked in public advisories at WPScan.

EU & UK References

Vulnerability details

The Video List Manager WordPress plugin through 1.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

video list manager project
video list manager
≤ 1.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References