WordPress Plugin Vulnerabilities

WP Brutal AI < 2.0.0 - SQL Injection via CSRF

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.

Proof of Concept

Affects Plugins

Plugin icon
wpbrutalai
Fixed in 2.0.0

References

CVE
CVE-2023-2601

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Taurus Omar
Submitter
Taurus Omar
Submitter website
https://taurusomar.com
Submitter twitter
@TaurusOmar_
Verified
Yes
WPVDB ID
57769468-3802-4985-bf5e-44ec1d59f5fd

Timeline

Publicly Published
2023-06-05 (about 2 years ago)
Added
2023-06-05 (about 2 years ago)
Last Updated
2023-06-05 (about 2 years ago)

Other

Published
Title
Published
2021-07-26
Title
uListing < 2.0.4 - Unauthenticated SQL Injection
Published
2025-05-16
Title
Multimedia Responsive Carousel with Image Video Audio Support <= 2.6.0 - Authenticated (Contributor+) SQL Injection
Published
2025-01-03
Title
Multiple Shipping And Billing Address For Woocommerce < 1.3 - Unauthenticated SQL Injection
Published
2020-08-03
Title
Ajax Search Pro < 4.19 - Subscriber+ SQL Injection
Published
2023-12-21
Title
Squirrly SEO - Advanced Pack <= 2.3.8 - Authenticated(Administrator+) SQL Injection