WordPress Plugin Vulnerabilities

ReviewX < 1.6.4 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape the filterValue and selectedColumns parameters before using them in SQL statements via the rx_export_review AJAX action available to any authenticated users, leading to a SQL injection exploitable by users with a role as low as subscriber

Proof of Concept

Affects Plugins

Plugin icon
reviewx
Fixed in 1.6.4

References

CVE
CVE-2023-26325

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Joshua Martinelle (Tenable Research)
Verified
No
WPVDB ID
bb5cc190-6291-4af3-978b-0ade2ea68d77

Timeline

Publicly Published
2023-02-23 (about 3 years ago)
Added
2023-02-24 (about 3 years ago)
Last Updated
2023-02-24 (about 3 years ago)

Other

Published
Title
Published
2025-03-14
Title
School Management System – WPSchoolPress < 2.2.18 - Teacher+ SQL Injection
Published
2026-03-20
Title
Miraculous Core < 2.1.2 - Authenticated (Subscriber+) SQL Injection
Published
2024-11-20
Title
Distance Based Shipping Calculator < 2.0.24 - Subscriber+ SQL Injection
Published
2024-03-26
Title
Contact Form to Any API < 1.1.9 - Authenticated (Subscriber+) SQL Injection
Published
2022-04-05
Title
Documentor <= 1.5.3 - Unauthenticated SQLi