Cyber Resilience

CVE-2023-2744

HighPublic PoC

Published: 27 June 2023

Published
27 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2841 96.6th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2744 is a high-severity an unspecified weakness vulnerability in Wedevs Wp Erp. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The ERP WordPress plugin before version 1.12.4 contains a SQL injection vulnerability in the erp/v1/accounting/v1/people REST API endpoint. The flaw stems from insufficient sanitization and escaping of the type parameter before it is incorporated into a SQL statement, allowing the malformed input to alter query logic.

High-privilege users such as administrators can supply a crafted type value over the network to the affected endpoint. Successful exploitation grants full read, write, and delete access to the database, corresponding to the CVSS 7.2 rating that reflects high impact across confidentiality, integrity, and availability without requiring user interaction.

Public references on WPScan and PacketStorm document the issue and include proof-of-concept material, while the version constraint in the CVE description indicates that upgrading to 1.12.4 or later removes the vulnerable code path. The associated EPSS score has remained at its peak of 0.2841 with no material increase after disclosure.

EU & UK References

Vulnerability details

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as…

more

admin.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wedevs
wp erp
≤ 1.12.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References