CVE-2023-6035

CWE-89 — SQL Injection3 documents3 sources

Severity

8.8HIGH

EPSS

0.4%

top 41.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Eazydocs Spider-themes Eazydocs

Timeline

PublishedDec 11

Description

The EazyDocs WordPress plugin before 2.3.4 does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/eazydocs< 2.3.4

▶NVDspider-themes/eazydocs< 2.3.4

🔴Vulnerability Details

CVEList

EazyDocs < 2.3.4 - Subscriber + SQLi↗2023-12-11

▶

GHSA

GHSA-gf95-rw86-w2vf: The EazyDocs WordPress plugin before 2↗2023-12-11

▶