cbcvebase.
CVE-2023-40749
published 2023-08-28

CVE-2023-40749: PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the "column" parameter of index.php.

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.31%
87.0th percentile
PHPJabbers Food Delivery Script v3.0 is vulnerable to SQL Injection in the "column" parameter of index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
phpjabbersfood_delivery_script

Detection & IOCsextracted from sources · hover to see the quote

path/index.php
  • HTTP POST to index.php with controller=pjAdminOrders, action=pjActionGetNewOrder, and a SQL boolean-based blind payload in the 'column' parameter; a 200 response body containing both 'class pjAdminOrdersaction' and 'didn't exists' indicates successful exploitation.
  • Shodan query 'html:"PHPJabbers"' can be used to identify internet-exposed PHPJabbers Food Delivery Script instances potentially vulnerable to CVE-2023-40749.
  • The SQL injection payload uses a boolean-based CASE expression in the column parameter: (SELECT (CASE WHEN (4213=4213) THEN 0x63726561746564 ELSE (SELECT 7877 UNION SELECT 7153) END)) — monitor for CASE/WHEN/THEN constructs or hex-encoded strings in the column parameter of index.php requests.
  • ·The vulnerability is unauthenticated (PR:N/UI:N) and affects only PHPJabbers Food Delivery Script version 3.0 (CPE: cpe:2.3:a:phpjabbers:food_delivery_script:3.0). The EPSS score of 0.44459 (97.571st percentile) indicates high exploitation probability in the wild.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.