cbcvebase.
CVE-2023-3077
published 2023-07-10

CVE-2023-3077: The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.30%
91.6th percentile
The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.

Affected

1 ranges
VendorProductVersion rangeFixed in
inspireuimstore_api< 3.9.83.9.8

Detection & IOCsextracted from sources · hover to see the quote

  • Blind SQL injection is exploitable by unauthenticated users via an unsanitized parameter in MStore API plugin versions before 3.9.8; monitor for anomalous SQL-like patterns in requests to MStore API endpoints
  • Exploitation requires both the MStore API pro features (paid) and the woocommerce-appointments plugin to be active; scope detection to sites running both plugins
  • ·Vulnerability is only exploitable when the MStore API pro (paid) features are enabled AND the woocommerce-appointments plugin is installed and active; detections targeting this CVE should filter for environments meeting both conditions to reduce false positives
  • ·The Sigma rule fragment in the source is incomplete/malformed (no specific URI path or parameter name is given); treat the digest hash as a rule integrity check only, not as a standalone IOC
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.