CVE-2023-0037
published 2023-03-13CVE-2023-0037: The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.91%
89.0th percentile
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 10web | map_builder_for_google_maps | < 1.0.73 | 1.0.73 |
Detection & IOCsextracted from sources · hover to see the quote
othercontains(body, "wd-google-maps")
- →Fingerprint target WordPress installations by checking for the 'wd-google-maps' string in the HTTP response body, indicating the 10Web Map Builder for Google Maps plugin is present.
- →The vulnerability is exploitable via an AJAX action available to unauthenticated users — monitor WordPress wp-admin/admin-ajax.php requests from unauthenticated sessions for SQL injection payloads targeting this plugin. ↗
- →Target plugin versions below 1.0.73 of 10Web Map Builder for Google Maps are vulnerable; flag installations running versions prior to 1.0.73. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6gc2-7235-x8mp: The 10Web Map Builder for Google Maps WordPress plugin before 1
ghsa_unreviewed·2023-03-13
CVE-2023-0037 [CRITICAL] CWE-89 GHSA-6gc2-7235-x8mp: The 10Web Map Builder for Google Maps WordPress plugin before 1
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
VulnCheck
10Web Map Builder for Google Maps WordPress Plugin AJAX SQL Injection
vulncheck·2023·CVSS 9.8
CVE-2023-0037 [CRITICAL] 10Web Map Builder for Google Maps WordPress Plugin AJAX SQL Injection
10Web Map Builder for Google Maps WordPress Plugin AJAX SQL Injection
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Affected: 10web map_builder_for_google_maps
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/wd-google-maps/wordpress-10webmapbuilder-plugin-1-0-73-unauthenticated-sqli-vulnerability
No detection rules found.
Nuclei
WordPress 10Web Map Builder < 1.0.73 - Unauthenticated SQL Injection
nuclei·CVSS 9.8
CVE-2023-0037 [CRITICAL] WordPress 10Web Map Builder < 1.0.73 - Unauthenticated SQL Injection
WordPress 10Web Map Builder =7'
- 'contains(body, "wd-google-maps")'
- 'contains(content_type, "text/html")'
condition: and
# digest: 4a0a00473045022021a4918493fb5410984777dce0a023b2cae184733b2425a21cd7120b4ff4808c02210091733df166900e21f0c987a9b7bbeb0519f896aa654172e5f963f5d87267061e:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-03-13
Published
Exploited in the wild