CVE-2023-2719: SupportCandy < 3.1.7 - Subscriber+ SQLi

0.0 CVSS

Description

The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection exploitable by users with a role as low as Subscriber.

Classification

CVE ID: CVE-2023-2719

CVSS Base Severity: LOW

CVSS Base Score: 0.0

Affected Products

Vendor: Unknown

Product: SupportCandy

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 41.57% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://wpscan.com/vulnerability/d9f6f4e7-a237-49c0-aba0-2934ab019e35

Timeline

2024-12-13 00:30:23 UTC
CVE

SupportCandy < 3.1.7 - Subscriber+ SQLi