Login Sign Up

CVE-2023-2744

7.2 HIGH
SQL Injection

📋 TL;DR

This CVE describes a SQL injection vulnerability in the ERP WordPress plugin affecting versions before 1.12.4. The vulnerability allows authenticated users with administrative privileges to execute arbitrary SQL commands through the 'type' parameter in a REST API endpoint. This could lead to data theft, modification, or deletion of the WordPress database.

💻 Affected Systems

Products:
  • WordPress WP ERP Plugin
Versions: All versions before 1.12.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with WP ERP plugin enabled and an authenticated admin user.

📦 What is this software?

Wp Erp by Wedevs

View all CVEs affecting Wp Erp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full database takeover, data exfiltration, privilege escalation, or complete site destruction.

🟠

Likely Case

Data leakage from the WordPress database including user credentials, sensitive business data, or plugin-specific information.

🟢

If Mitigated

Limited impact due to proper access controls, though authenticated admins could still exploit if malicious.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin-level authentication. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.4

Vendor Advisory: https://wpscan.com/vulnerability/435da8a1-9955-46d7-a508-b5738259e731

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP ERP' plugin. 4. Click 'Update Now' if available, or download version 1.12.4+ from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Remove or restrict access to the vulnerable /erp/v1/accounting/v1/people endpoint

Add to theme functions.php or custom plugin: remove_action('rest_api_init', 'erp_register_rest_routes');

Implement WAF rules

linux

Add web application firewall rules to block SQL injection patterns in the 'type' parameter

ModSecurity rule: SecRule ARGS:type "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Restrict admin privileges to only trusted users
  • Implement database monitoring for unusual SQL queries

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP ERP version. If version is below 1.12.4, system is vulnerable.

Check Version:

wp plugin list --name=erp --field=version

Verify Fix Applied:

Confirm WP ERP plugin version is 1.12.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests to /erp/v1/accounting/v1/people with varying 'type' parameters
  • Admin user performing unexpected database operations

Network Indicators:

  • POST requests to /wp-json/erp/v1/accounting/v1/people with SQL patterns in parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri_path="/wp-json/erp/v1/accounting/v1/people" AND (param_type="' OR" OR param_type="' UNION" OR param_type="' SELECT")

📊 Metadata

CVE ID: CVE-2023-2744
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: June 27, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON