CVE-2023-2744
Published: 27 June 2023
Summary
CVE-2023-2744 is a high-severity an unspecified weakness vulnerability in Wedevs Wp Erp. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The ERP WordPress plugin before version 1.12.4 contains a SQL injection vulnerability in the erp/v1/accounting/v1/people REST API endpoint. The flaw stems from insufficient sanitization and escaping of the type parameter before it is incorporated into a SQL statement, allowing the malformed input to alter query logic.
High-privilege users such as administrators can supply a crafted type value over the network to the affected endpoint. Successful exploitation grants full read, write, and delete access to the database, corresponding to the CVSS 7.2 rating that reflects high impact across confidentiality, integrity, and availability without requiring user interaction.
Public references on WPScan and PacketStorm document the issue and include proof-of-concept material, while the version constraint in the CVE description indicates that upgrading to 1.12.4 or later removes the vulnerable code path. The associated EPSS score has remained at its peak of 0.2841 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34205
Vulnerability details
The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as…
more
admin.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.