Lucene search

[email protected]CVE-2023-5430

HistoryOct 31, 2023 - 9:15 a.m.

CVE-2023-5430

2023-10-3109:15:08

[email protected]

web.nvd.nist.gov

cve-2023-5430

jquery

news ticker

wordpress

sql injection

nvd

security vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.8 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

25.6%

JSON

The Jquery news ticker plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CPENameOperatorVersion
gopiplus:jquery_news_tickergopiplus jquery news tickerlt3.1
gopiplus:jquery_news_tickergopiplus jquery news tickereq1.8
gopiplus:jquery_news_tickergopiplus jquery news tickereq1.2
gopiplus:jquery_news_tickergopiplus jquery news tickereq2.0
gopiplus:jquery_news_tickergopiplus jquery news tickereq2.2
gopiplus:jquery_news_tickergopiplus jquery news tickereq1.3
gopiplus:jquery_news_tickergopiplus jquery news tickereq1.1
gopiplus:jquery_news_tickergopiplus jquery news tickereq1.6
gopiplus:jquery_news_tickergopiplus jquery news tickereq2.1
gopiplus:jquery_news_tickergopiplus jquery news tickereq2.8

CPE	Name	Operator	Version
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	lt	3.1
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	1.8
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	1.2
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	2.0
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	2.2
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	1.3
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	1.1
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	1.6
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	2.1
gopiplus:jquery_news_ticker	gopiplus jquery news ticker	eq	2.8

Rows per page:

1-10 of 221

References

plugins.trac.wordpress.org/browser/jquery-news-ticker/trunk/jquery-news-ticker.php?rev=2827068#L92

plugins.trac.wordpress.org/changeset/2985559/jquery-news-ticker#file1

www.wordfence.com/threat-intel/vulnerabilities/id/3b7f8739-7f40-40a7-952e-002ea3b82ac7?source=cve

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.8 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

25.6%

JSON

Related for CVE-2023-5430

wpvulndb1 cvelist1 prion1 wordfence1