CVE-2023-5082

2023-11-0621:15:09

CWE-89

WPScan

web.nvd.nist.gov

cve-2023-5082

wordpress plugin

sql injection

security vulnerability

admin users

nvd

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

The History Log by click5 WordPress plugin before 1.0.13 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it.

Affected configurations

Nvd

Vulners

Node

click5interactivesitemap_by_click5Range<1.0.13wordpress

VendorProductVersionCPE
click5interactivesitemap_by_click5*cpe:2.3:a:click5interactive:sitemap_by_click5:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
click5interactive	sitemap_by_click5	*	cpe:2.3:a:click5interactive:sitemap_by_click5::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "History Log by click5",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.0.13"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]