Cyber Resilience

CVE-2023-39650

CriticalPublic PoC

Published: 28 August 2023

Published
28 August 2023
Modified
21 November 2024
KEV Added
Patch
24 August 2023
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3768 97.3th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-39650 is a critical-severity SQL Injection (CWE-89) vulnerability in Themevolty Theme Volty Cms Blog. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Theme Volty CMS Blog up to version 4.0.1 contains a SQL injection vulnerability (CWE-89) that can be triggered through the id parameter on the /tvcmsblog/single endpoint. The affected component is a PrestaShop module that handles blog content display, and the flaw received a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated exploitation with full impact on confidentiality, integrity, and availability.

An unauthenticated attacker can supply a crafted id value to the vulnerable endpoint and execute arbitrary SQL queries against the underlying database. Successful exploitation allows extraction or modification of stored data, potential authentication bypass, or further compromise of the PrestaShop installation without any user interaction.

Public advisories published by Friends of Presta reference the issue and point to Theme Volty for updates; the listed URLs are https://security.friendsofpresta.org/modules/2023/08/24/tvcmsblog.html and https://themevolty.com/. The associated EPSS score has remained at 0.3768 since disclosure, indicating sustained but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

themevolty
theme volty cms blog
≤ 4.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References