WordPress Plugin Vulnerabilities

MainWP Broken Links Checker Extension <= 4.0 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Affects Plugins

Plugin icon
mainwp-broken-links-checker-extension
No known fix

References

CVE
CVE-2023-23737

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.3 (critical)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
0d8b7a41-2705-4ff5-bd2b-41b8c7a00099

Timeline

Publicly Published
2023-01-18 (about 1 years ago)
Added
2023-10-12 (about 7 months ago)
Last Updated
2023-10-12 (about 7 months ago)

Other

Published
Title
Published
2014-08-01
Title
plugin WP-Forum 1.7.8 - Remote SQL Injection
Published
2021-07-24
Title
Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection
Published
2024-04-22
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Authenticated (Contributor+) SQL Injection
Published
2015-07-15
Title
Smooth Slider < 2.7 - Authenticated SQL Injection
Published
2023-11-07
Title
Who Hit The Page – Hit Counter <= 1.4.14.3 - Authenticated (Administrator+) SQL Injection