WordPress Plugin Vulnerabilities

WD WidgetTwitter <= 1.0.9 - Contributor+ SQLi

Description

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statements, which could allow users with the contributor role and above to perform SQL injection attacks

Affects Plugins

Plugin icon
widget-twitter
No known fix

References

CVE
CVE-2023-5709

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
2918c103-be13-4cbd-a439-ead7000524c3

Timeline

Publicly Published
2023-11-06 (about 2 years ago)
Added
2023-11-17 (about 2 years ago)
Last Updated
2023-11-17 (about 2 years ago)

Other

Published
Title
Published
2016-11-10
Title
Sirv <= 1.3.1 - Authenticated SQL Injection
Published
2025-03-07
Title
Post SMTP < 3.1.3 - Authenticated (Administrator+) SQL Injection via columns Parameter
Published
2023-05-16
Title
Multiple Page Generator < 3.3.18 - Admin+ SQLi
Published
2022-11-30
Title
IWS - Geo Form Fields <= 1.0 - Unauthenticated SQLi
Published
2021-10-26
Title
Mang Board WP < 1.6.9 - SQL Injection