Cyber Resilience

CVE-2023-3077

CriticalPublic PoC

Published: 10 July 2023

Published
10 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6078 98.3th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3077 is a critical-severity an unspecified weakness vulnerability in Inspireui Mstore Api. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The MStore API plugin for WordPress, prior to version 3.9.8, contains a blind SQL injection vulnerability caused by missing sanitization and escaping of a user-supplied parameter that is concatenated directly into a SQL query. The flaw is present only when the site has purchased and enabled the plugin's pro features and is also running the WooCommerce Appointments extension.

Unauthenticated attackers can supply crafted input over the network to trigger the injection. Successful exploitation grants full read, write, and delete access to the database, corresponding to the CVSS 9.8 rating that reflects no authentication, no user interaction, and complete confidentiality, integrity, and availability impact.

Public advisories published by WPScan on 10 July 2023 identify the issue and direct administrators to upgrade the MStore API plugin to version 3.9.8 or later to eliminate the vulnerable code path.

The EPSS score for this CVE rose from a low baseline to a peak of 0.7441 (current value 0.6078), indicating that exploitation interest increased measurably after disclosure.

EU & UK References

Vulnerability details

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected…

more

to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

inspireui
mstore api
≤ 3.9.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References