WordPress Plugin Vulnerabilities

MStore API < 4.0.2 - Unauthenticated SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Affects Plugins

Plugin icon
mstore-api
Fixed in 4.0.2

References

CVE
CVE-2023-3197

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Truoc Phan, An Đặng
Verified
No
WPVDB ID
3a868e87-0a76-42bc-bd14-aab382fb27ce

Timeline

Publicly Published
2023-06-23 (about 2 years ago)
Added
2023-06-27 (about 2 years ago)
Last Updated
2023-06-27 (about 2 years ago)

Other

Published
Title
Published
2025-05-16
Title
Radio Player Shoutcast & Icecast WordPress Plugin < 4.4.7 - Authenticated (Contributor+) SQL Injection
Published
2025-12-30
Title
FooEvents for WooCommerce < 1.20.5 - Authenticated (Subscriber+) SQL Injection
Published
2025-03-31
Title
Advanced WooCommerce Product Sales Reporting < 4.1.2 - Unauthenticated SQLi
Published
2021-11-01
Title
BSK PDF Manager < 3.1.2 - Admin+ SQL Injection
Published
2017-08-07
Title
Podlove Podcast Publisher < 2.6.0 - Authenticated SQL Injection