cbcvebase.
CVE-2023-39650
published 2023-08-28

CVE-2023-39650: Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.63%
88.1th percentile
Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

Affected

1 ranges
VendorProductVersion rangeFixed in
themevoltytheme_volty_cms_blog< 4.0.14.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(10)))oqFL)--+yxoW
url/module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5484--+xhCs
url/module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5485--+xhCs
path/tvcmsblog/single
  • Time-based blind SQLi detection: send payload with SLEEP(10) to /module/tvcmsblog/single via the `id` parameter; a response duration >= 10 seconds with HTTP 200 and body containing 'tvcmsblog' confirms exploitation.
  • Boolean-based blind SQLi detection: true condition (5484=5484) returns HTTP 200 with 'tvcmsblog' in body; false condition (5484=5485) returns HTTP 302 redirect — differing responses confirm injection.
  • Pre-check for vulnerable host: confirm PrestaShop with tvcmsblog module present by checking response body for strings 'prestashop' or 'tvcmsblog' before launching SQLi probes.
  • Shodan dork to identify exposed PrestaShop instances running the tvcmsblog module.
  • ·Vulnerability affects tvcmsblog module versions up to and including 4.0.1; versions beyond 4.0.1 may be patched.
  • ·The injection point is the `id` parameter in the GET request; no authentication is required — exploitation is possible by unauthenticated guests.
  • ·Time-based detection requires a 30-second HTTP timeout on the probe request to reliably observe the SLEEP(10) delay.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.