CVE-2023-54359
Published: 09 April 2026
Summary
CVE-2023-54359 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-54359 is a time-based blind SQL injection vulnerability (CWE-89) in the Adivaha Travel Plugin version 2.3 for WordPress. The issue affects the plugin's handling of the 'pid' GET parameter in the /mobile-app/v3/ endpoint, where insufficient input validation allows attackers to inject SQL code, including XOR-based payloads, to manipulate database queries.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Successful exploitation enables extraction of sensitive database information or denial of service by disrupting query execution.
Advisories from Vulncheck and an Exploit-DB proof-of-concept (ID 51655) describe the vulnerability and exploitation techniques. Additional context is available on the plugin's WordPress.org page and the vendor site at adivaha.com.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-60550
Vulnerability details
WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid'…
more
values using XOR-based payloads to extract sensitive database information or cause denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of a public-facing WordPress plugin via SQL injection (T1190: Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the SQL injection vulnerability by requiring validation of the 'pid' GET parameter to prevent malicious SQL code injection into database queries.
Addresses the specific flaw in Adivaha Travel Plugin 2.3 by requiring timely identification, reporting, and remediation of known vulnerabilities like CVE-2023-54359.
Provides additional protection by restricting the 'pid' parameter to safe formats such as numeric values, blocking malformed or oversized inputs used in SQL injection payloads.