CVE-2023-2744
N/A
N/A
Summary
The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the type parameter in the erp/v1/accounting/v1/people REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Unknown | WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting |
Weaknesses
- CWE-89 SQL Injection
ADP Enrichment
CVE Program Container
Additional References
- https://wpscan.com/vulnerability/435da8a1-9955-46d7-a508-b5738259e731
- http://packetstormsecurity.com/files/175106/WordPress-WP-ERP-1.12.2-SQL-Injection.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://wpscan.com/vulnerability/435da8a1-9955-46d7-a508-b5738259e731
- http://packetstormsecurity.com/files/175106/WordPress-WP-ERP-1.12.2-SQL-Injection.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.