CVE-2023-2719
📋 TL;DR
This SQL injection vulnerability in the SupportCandy WordPress plugin allows attackers with Subscriber-level access to execute arbitrary SQL commands. It affects WordPress sites using vulnerable versions of the plugin, potentially compromising database integrity and confidentiality.
💻 Affected Systems
- SupportCandy WordPress Plugin
📦 What is this software?
Supportcandy by Supportcandy
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, or deletion; potential privilege escalation to administrator; possible remote code execution via database functions.
Likely Case
Unauthorized data access, extraction of sensitive information (user credentials, personal data), and potential privilege escalation within WordPress.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Exploitation requires at least Subscriber-level authentication. Public exploit code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.7
Vendor Advisory: https://wpscan.com/vulnerability/d9f6f4e7-a237-49c0-aba0-2934ab019e35
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find SupportCandy plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.1.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable REST API endpoint
allTemporarily disable the vulnerable REST API endpoint until patching is possible.
Add to wp-config.php: define('WP_REST_API_DISABLED', true);
Remove Subscriber role access
allTemporarily restrict Subscriber role permissions or disable Subscriber accounts.
Use WordPress role management plugins or custom code to modify capabilities.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the SupportCandy REST API endpoints.
- Restrict network access to WordPress admin interfaces and implement strong authentication controls for all user accounts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > SupportCandy version. If version is below 3.1.7, system is vulnerable.Check Version:
wp plugin list --name=supportcandy --field=versionVerify Fix Applied:
Confirm SupportCandy plugin version is 3.1.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WordPress/database logs
- Multiple failed authentication attempts followed by SQL-like payloads in REST API requests
- Unexpected database access patterns from Subscriber-level accounts
Network Indicators:
- HTTP POST requests to /wp-json/supportcandy/* endpoints containing SQL injection payloads
- Unusual outbound database connections from web server
SIEM Query:
source="wordpress.log" AND ("supportcandy" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "UPDATE"))