CVE-2023-3077
published 2023-07-10CVE-2023-3077: The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.30%
91.6th percentile
The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inspireui | mstore_api | < 3.9.8 | 3.9.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Blind SQL injection is exploitable by unauthenticated users via an unsanitized parameter in MStore API plugin versions before 3.9.8; monitor for anomalous SQL-like patterns in requests to MStore API endpoints
- →Exploitation requires both the MStore API pro features (paid) and the woocommerce-appointments plugin to be active; scope detection to sites running both plugins
- ·Vulnerability is only exploitable when the MStore API pro (paid) features are enabled AND the woocommerce-appointments plugin is installed and active; detections targeting this CVE should filter for environments meeting both conditions to reduce false positives ↗
- ·The Sigma rule fragment in the source is incomplete/malformed (no specific URI path or parameter name is given); treat the digest hash as a rule integrity check only, not as a standalone IOC
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
MStore API < 3.9.8 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-3077 [CRITICAL] MStore API < 3.9.8 - SQL Injection
MStore API =6'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100ed3d7b5cf5d67b8d304b36bd6a89a758951403485413e5c29e28764181844c1302204fc5cf008f6fe796fa7454593e28acd32dc4f338dd9d21993383a357c93eb07b:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-07-10
Published