CVE-2023-40749
published 2023-08-28CVE-2023-40749: PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the "column" parameter of index.php.
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.31%
87.0th percentile
PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the "column" parameter of index.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpjabbers | food_delivery_script | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP POST to index.php with controller=pjAdminOrders, action=pjActionGetNewOrder, and a SQL boolean-based blind payload in the 'column' parameter; a 200 response body containing both 'class pjAdminOrdersaction' and 'didn't exists' indicates successful exploitation. ↗
- →Shodan query 'html:"PHPJabbers"' can be used to identify internet-exposed PHPJabbers Food Delivery Script instances potentially vulnerable to CVE-2023-40749. ↗
- →The SQL injection payload uses a boolean-based CASE expression in the column parameter: (SELECT (CASE WHEN (4213=4213) THEN 0x63726561746564 ELSE (SELECT 7877 UNION SELECT 7153) END)) — monitor for CASE/WHEN/THEN constructs or hex-encoded strings in the column parameter of index.php requests. ↗
- ·The vulnerability is unauthenticated (PR:N/UI:N) and affects only PHPJabbers Food Delivery Script version 3.0 (CPE: cpe:2.3:a:phpjabbers:food_delivery_script:3.0). The EPSS score of 0.44459 (97.571st percentile) indicates high exploitation probability in the wild. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
PHPJabbers Food Delivery Script v3.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-40749 [CRITICAL] PHPJabbers Food Delivery Script v3.0 - SQL Injection
PHPJabbers Food Delivery Script v3.0 - SQL Injection
PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the "column" parameter of index.php.
Template:
id: CVE-2023-40749
info:
name: PHPJabbers Food Delivery Script v3.0 - SQL Injection
author: ritikchaddha
severity: critical
description: |
PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the "column" parameter of index.php.
impact: |
Unauthenticated attackers can exploit SQL injection in the column parameter to extract sensitive database information including customer orders, payment details, delivery addresses, and admin credentials from the Food Delivery platform.
remediation: |
Update PHPJabbers Food Delivery Script to a version newer than 3.0 that properly sanitizes the column parameter and
2023-08-28
Published