WordPress Plugin Vulnerabilities

MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi

Description

The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.

Note (WPScan): The issue was fixed in 1.14.13, however a better patch was done in 1.14.15 as per our suggestion.

Proof of Concept

Affects Plugins

Plugin icon
multiparcels-shipping-for-woocommerce
Fixed in 1.14.15

References

CVE
CVE-2023-2843

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Dao Xuan Hieu
Submitter
Dao Xuan Hieu
Verified
Yes
WPVDB ID
8e713eaf-f332-47e2-a131-c14222201fdc

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-07-17 (about 2 years ago)
Last Updated
2023-07-17 (about 2 years ago)

Other

Published
Title
Published
2022-10-03
Title
Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi
Published
2024-10-25
Title
RSVP ME <= 1.9.9 - Unauthenticated SQL Injection
Published
2023-06-21
Title
WooCommerce Product Vendors < 2.1.77 - Vendor Admin+ SQLi
Published
2025-03-06
Title
School Management System for Wordpress < 93.0.0 - Authenticated (Subscriber+) SQL Injection via 'mj_smgt_show_event_task'
Published
2025-12-01
Title
WP Directory Kit < 1.4.7 - Authenticated (Admin+) SQL Injection