Login Sign Up

CVE-2023-2805

7.2 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the SupportCandy WordPress plugin allows authenticated high-privilege users (like administrators) to execute arbitrary SQL commands on the database. Attackers with admin access can potentially read, modify, or delete database content, including sensitive user data. Only WordPress sites running vulnerable versions of SupportCandy are affected.

💻 Affected Systems

Products:
  • SupportCandy WordPress Plugin
Versions: All versions before 3.1.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated admin or high-privilege user access. WordPress installations with vulnerable plugin versions are affected regardless of OS.

📦 What is this software?

Supportcandy by Supportcandy

View all CVEs affecting Supportcandy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, privilege escalation to full system access, or installation of persistent backdoors.

🟠

Likely Case

Data exfiltration of sensitive information (user credentials, personal data), privilege escalation to gain full administrative control, or database corruption.

🟢

If Mitigated

Limited impact due to proper access controls, database permissions restrictions, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated admin access. SQL injection via agents[] parameter in set_add_agent_leaves AJAX function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.7

Vendor Advisory: https://wpscan.com/vulnerability/bdb75c8c-87e2-4358-ad3b-f4236e9a43c0

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find SupportCandy plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.1.7+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Temporarily disable the set_add_agent_leaves AJAX function via custom code or plugin deactivation

Add to theme's functions.php: remove_action('wp_ajax_set_add_agent_leaves', 'your_callback_function');

Restrict admin access

all

Temporarily limit administrative access to essential personnel only

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WordPress instance
  • Apply database-level controls: restrict database user permissions, enable query logging, implement WAF rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > SupportCandy version. If version < 3.1.7, vulnerable.

Check Version:

wp plugin list --name=supportcandy --field=version (if WP-CLI installed)

Verify Fix Applied:

Confirm SupportCandy version is 3.1.7 or higher in WordPress plugins page.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple AJAX requests to /wp-admin/admin-ajax.php with agents[] parameter
  • Unexpected admin account activity

Network Indicators:

  • Suspicious POST requests to admin-ajax.php with SQL-like payloads in agents[] parameter

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "agents[]" AND ("SELECT" OR "UNION" OR "INSERT" OR "DELETE")

📊 Metadata

CVE ID: CVE-2023-2805
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: June 19, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON