CVE-2023-0278 — SQL Injection in Geodirectory

CWE-89 — SQL Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.5%

top 32.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wpgeodirectory Geodirectory

Timeline

PublishedFeb 27

Description

The GeoDirectory WordPress plugin before 2.2.24 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

▶NVDwpgeodirectory/geodirectory< 2.2.24

🔴Vulnerability Details

CVEList

GeoDirectory < 2.2.24 - Admin+ SQLi↗2023-02-27

▶

GHSA

GHSA-7p2x-p35q-fqcv: The GeoDirectory WordPress plugin before 2↗2023-02-27

▶