CVE-2023-39796
published 2023-11-10CVE-2023-39796: SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.10%
92.5th percentile
SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wbce | wbce_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record↗
- →Detect unauthenticated POST requests to /modules/miniform/ajax_delete_message.php containing a backtick (`) in the DB_RECORD_TABLE parameter, indicative of SQL injection escape attempt. ↗
- →Time-based blind SQLi detection: if the server response to the crafted POST request is delayed by 6–7 seconds or more, the injection is successful. ↗
- →Match HTTP 200 response containing the string 'Record deleted successfully!' combined with a response duration >= 7 seconds to confirm exploitation. ↗
- →Flag POST requests to ajax_delete_message.php that include SLEEP() SQL function calls within the DB_RECORD_TABLE parameter body. ↗
- →No authentication check exists on ajax_delete_message.php — any unauthenticated POST to this endpoint should be treated as suspicious and alerted on. ↗
- ·The vulnerability exists in the DELETE query at line 40 of ajax_delete_message.php; the DB_RECORD_TABLE parameter is directly interpolated into the query without proper parameterization. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jwpq-f263-r9ph: SQL injection vulnerability in the miniform module in WBCE CMS v
ghsa_unreviewed·2023-11-10
CVE-2023-39796 [CRITICAL] CWE-89 GHSA-jwpq-f263-r9ph: SQL injection vulnerability in the miniform module in WBCE CMS v
SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.
VulnCheck
wbce wbce_cms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-39796 [CRITICAL] wbce wbce_cms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
wbce wbce_cms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.
Affected: wbce wbce_cms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-19&host_type=src&vulnerability=cve-2023-39796; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-20&host_type=src&vulnerability=cve-2023-39796; https://dashboard.shadowserver.org/statistics/honeypot/
No detection rules found.
Exploit-DB
WBCE 1.6.0 - Unauthenticated SQL injection
exploitdb·2024-04-12·CVSS 9.8
CVE-2023-39796 [CRITICAL] WBCE 1.6.0 - Unauthenticated SQL injection
WBCE 1.6.0 - Unauthenticated SQL injection
---
# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0
# Date: 15.11.2023
# Exploit Author: young pope
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip
# Version: 1.6.0
# Tested on: Kali linux
# CVE : CVE-2023-39796
There is an sql injection vulnerability in *miniform* module which is a
default module installed in the *WBCE* cms. It is an unauthenticated
sqli so anyone could access it and takeover the whole database.
In file /modules/miniform/ajax_delete_message.php there is no
authentication check. On line |40| in this file, there is a |DELETE|
query that is vulnerable, an attacker could jump from the query using
tick sign - ```.
Function |addslashes(
Nuclei
WBCE 1.6.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-39796 [CRITICAL] WBCE 1.6.0 - SQL Injection
WBCE 1.6.0 - SQL Injection
There is an sql injection vulnerability in "miniform module" which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file "/modules/miniform/ajax_delete_message.php" there is no authentication check. On line 40 in this file, there is a DELETE query that is vulnerable, an attacker could jump from the query using the tick sign - `.
Template:
id: CVE-2023-39796
info:
name: WBCE 1.6.0 - SQL Injection
author: youngpope
severity: critical
description: |
There is an sql injection vulnerability in "miniform module" which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file "/modules/minifor
2023-11-10
Published
Exploited in the wild