cbcvebase.
CVE-2023-32590
published 2023-12-20

CVE-2023-32590: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to…

PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.65%
73.5th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category.This issue affects Subscribe to Category: from n/a through 2.7.4.

Affected

2 ranges
VendorProductVersion rangeFixed in
daniel_s_derstr_msidney_van_de_stouwe_subscribe_to_categoryn/a – 2.7.4
subscribe_to_category_projectsubscribe_to_category<= 2.7.4

Detection & IOCsextracted from sources · hover to see the quote

sigma
Subscribe to Category = 10'
- 'len(body) == 0'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
  • SQL injection probe uses a numeric value followed by a single quote (e.g., '10'') appended to the Subscribe to Category parameter; a successful blind SQLi response returns HTTP 200 with an empty body and Content-Type application/json.
  • The nuclei/fuzzing template digest can be used to fingerprint the specific detection template targeting CVE-2023-32590.
  • ·Vulnerability affects Subscribe to Category plugin versions up to and including 2.7.4; versions beyond this range are not confirmed affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.