Cyber Resilience

CVE-2023-23489

CriticalPublic PoC

Published: 20 January 2023

Published
20 January 2023
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8073 99.2th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-23489 is a critical-severity SQL Injection (CWE-89) vulnerability in Sandhillsdev Easy Digital Downloads. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Easy Digital Downloads WordPress plugin versions 3.1.0.2 and 3.1.0.3 contain an unauthenticated SQL injection vulnerability (CWE-89) in the 's' parameter of the edd_download_search action. The flaw carries a CVSS 3.1 score of 9.8 and permits remote attackers to manipulate database queries without authentication or user interaction.

An attacker can send crafted requests to the affected WordPress endpoint and obtain full read/write access to the database, enabling data exfiltration, modification of records, or further compromise of the WordPress installation and underlying host. Because the vector requires no credentials, exploitation is possible from any network-reachable position.

EPSS for the CVE currently stands at 0.8073 with a recorded peak of 0.8526, indicating sustained and substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sandhillsdev
easy digital downloads
≤ 3.1.0.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References