WordPress Plugin Vulnerabilities

Quasar form <= 6.1 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Affects Plugins

Plugin icon
quasar-form
No known fix

References

CVE
CVE-2023-35910

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Emili Castells
Verified
No
WPVDB ID
2655de31-c8a2-4084-80e3-4eea900546d8

Timeline

Publicly Published
2023-07-24 (about 2 years ago)
Added
2023-11-17 (about 2 years ago)
Last Updated
2023-11-17 (about 2 years ago)

Other

Published
Title
Published
2025-08-12
Title
Tutor LMS Pro – eLearning and online course solution < 3.7.1 - Authenticated (Tutor Instructor+) SQL Injection
Published
2024-04-22
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Authenticated (Contributor+) SQL Injection
Published
2025-12-14
Title
xPromoter < 1.3.5 - Authenticated (Contributor+) SQL Injection
Published
2024-09-30
Title
YITH WooCommerce Ajax Search < 2.8.1 - Unauthenticated SQL Injection
Published
2024-03-21
Title
Easy Property Listings < 3.5.3 - Authenticated(Contributor+) SQL Injection via Shortcode