CVE-2023-23489
Published: 20 January 2023
Summary
CVE-2023-23489 is a critical-severity SQL Injection (CWE-89) vulnerability in Sandhillsdev Easy Digital Downloads. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Easy Digital Downloads WordPress plugin versions 3.1.0.2 and 3.1.0.3 contain an unauthenticated SQL injection vulnerability (CWE-89) in the 's' parameter of the edd_download_search action. The flaw carries a CVSS 3.1 score of 9.8 and permits remote attackers to manipulate database queries without authentication or user interaction.
An attacker can send crafted requests to the affected WordPress endpoint and obtain full read/write access to the database, enabling data exfiltration, modification of records, or further compromise of the WordPress installation and underlying host. Because the vector requires no credentials, exploitation is possible from any network-reachable position.
EPSS for the CVE currently stands at 0.8073 with a recorded peak of 0.8526, indicating sustained and substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-27589
Vulnerability details
The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.