CVE-2023-0261
published 2023-02-13CVE-2023-0261: The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.36%
90.0th percentile
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ljapps | wp_tripadvisor_review_slider | < 10.8 | 10.8 |
Detection & IOCsextracted from sources · hover to see the quote
bytes
4a0a00473045022100c5f54a39de012eb160cf0f59a741d526988145957b239c0e4116edb8b65b457e02202d1b2e0a488043de884f76d5527b88c99b3ef367d8452209e972e02ca71b6041:922c64590222798bb761d5b6d8e72950
- →The SQL injection is exploitable by users with a role as low as subscriber — monitor for authenticated low-privilege users (subscriber role) issuing unusual or malformed requests to WP TripAdvisor Review Slider plugin endpoints. ↗
- ·The nuclei/probe template digest is provided but the full template body (including the specific vulnerable parameter name and endpoint path) is truncated in the source — the exact injectable parameter is not disclosed in available documentation.
- ·NVD advisory states the parameter is not properly sanitised before use in a SQL statement but does not name the specific parameter or endpoint — additional dynamic analysis is required to identify the exact attack surface. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress WP TripAdvisor Review Slider <10.8 - Authenticated SQL Injection
nuclei·CVSS 8.8
CVE-2023-0261 [HIGH] WordPress WP TripAdvisor Review Slider <10.8 - Authenticated SQL Injection
WordPress WP TripAdvisor Review Slider =6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "application/json")'
- 'contains(body_2, "\"data\":{")'
condition: and
# digest: 4a0a00473045022100c5f54a39de012eb160cf0f59a741d526988145957b239c0e4116edb8b65b457e02202d1b2e0a488043de884f76d5527b88c99b3ef367d8452209e972e02ca71b6041:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-02-13
Published