cbcvebase.
CVE-2023-0037
published 2023-03-13

CVE-2023-0037: The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.91%
89.0th percentile
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Affected

1 ranges
VendorProductVersion rangeFixed in
10webmap_builder_for_google_maps< 1.0.731.0.73

Detection & IOCsextracted from sources · hover to see the quote

othercontains(body, "wd-google-maps")
  • Fingerprint target WordPress installations by checking for the 'wd-google-maps' string in the HTTP response body, indicating the 10Web Map Builder for Google Maps plugin is present.
  • The vulnerability is exploitable via an AJAX action available to unauthenticated users — monitor WordPress wp-admin/admin-ajax.php requests from unauthenticated sessions for SQL injection payloads targeting this plugin.
  • Target plugin versions below 1.0.73 of 10Web Map Builder for Google Maps are vulnerable; flag installations running versions prior to 1.0.73.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.