CVE-2023-54359

Vulnerability

Overview

The WordPress adivaha Travel Plugin version 2.3 contains a time-based blind SQL injection vulnerability in the /mobile-app/v3/ endpoint. The pid GET parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL statements. This is a classic CWE-89 vulnerability [1][2].

Exploitation

Details

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the /mobile-app/v3/ endpoint with a malicious pid value. The provided proof-of-concept uses an XOR-based payload to perform a time-based blind injection, triggering a SELECT SLEEP(6) statement to confirm the injection point. The attack requires no authentication and can be performed remotely over the network [2][3].

Impact

Successful exploitation allows an attacker to extract sensitive data from the WordPress database, such as user credentials, personal information or configuration details. The CVSS v3.1 score of 8.2 (High) indicates high confidentiality impact, as an attacker can read arbitrary database contents via blind inference techniques [2].

Mitigation

As of the publication date, no patched version has been released. Users of the adivaha Travel Plugin version 2.3 are advised to disable the plugin or implement a web application firewall (WAF) rule to block malicious pid parameters. The vendor has been notified, but no official update is available [1][2].