CVE-2023-32590
published 2023-12-20CVE-2023-32590: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to…
PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.65%
73.5th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category.This issue affects Subscribe to Category: from n/a through 2.7.4.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| daniel_s_derstr_m | sidney_van_de_stouwe_subscribe_to_category | n/a – 2.7.4 | — |
| subscribe_to_category_project | subscribe_to_category | <= 2.7.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
Subscribe to Category = 10' - 'len(body) == 0' - 'status_code == 200' - 'contains(content_type, "application/json")'
- →SQL injection probe uses a numeric value followed by a single quote (e.g., '10'') appended to the Subscribe to Category parameter; a successful blind SQLi response returns HTTP 200 with an empty body and Content-Type application/json.
- →The nuclei/fuzzing template digest can be used to fingerprint the specific detection template targeting CVE-2023-32590.
- ·Vulnerability affects Subscribe to Category plugin versions up to and including 2.7.4; versions beyond this range are not confirmed affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Subscribe to Category <= 2.7.4 - SQL Injection
nuclei·CVSS 7.5
CVE-2023-32590 [HIGH] Subscribe to Category <= 2.7.4 - SQL Injection
Subscribe to Category = 10'
- 'len(body) == 0'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
condition: and
# digest: 4a0a00473045022100fd469f4001fca95928f1f9146baa2b7bfa504e0ffbb7c7ed7e83a09be057e4ba022036085d478b1d17b831908e6c26b3dcad9be22da24ea141308adfaa17f93f7098:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://patchstack.com/database/vulnerability/subscribe-to-category/wordpress-subscribe-to-category-plugin-2-7-4-sql-injection-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/subscribe-to-category/wordpress-subscribe-to-category-plugin-2-7-4-sql-injection-vulnerability?_s_id=cve
2023-12-20
Published