CVE-2023-54333

Vulnerability

Overview

Social-Share-Buttons 2.2.3, a WordPress plugin, contains a critical SQL injection vulnerability in the project_id parameter. The plugin fails to properly sanitize user-supplied input before using it in database queries, allowing an attacker to inject arbitrary SQL commands [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability by sending a vulnerability by sending a crafted POST request to the vulnerable endpoint with a malicious payload in the project_id parameter. No authentication is required, and the attack can be performed remotely over the network. Proof-of-concept payloads demonstrate both boolean-based blind and time-based blind SQL injection techniques [2][3].

Impact

Successful exploitation allows an attacker to retrieve and steal the entire contents of the WordPress database, including user credentials, posts, and other sensitive data, and potentially gain administrative access to the site [2][3][4]. 4]. The vulnerability is rated HIGH with a CVSS v3 score of 8.2.

Mitigation

As of the publication date, no official patch has been released. Users are advised to disable or remove the plugin until a fix is available. The vulnerability has been publicly disclosed and proof-of-concept code is available, increasing the risk of exploitation [2][3].