CVE-2023-30750 – This SQL injection vulnerability in the CM Popu... (How to Fix)

Q: What is the severity of CVE-2023-30750?

CVE-2023-30750 has a CVSS score of 8.5 (HIGH). This SQL injection vulnerability in the CM Popup Plugin for WordPress allows attackers to execute arbitrary SQL commands through unsanitized user input. It affects all WordPress sites using CM Popup Plugin versions up to 1.5.10. Successful exploitation could lead to database compromise and unauthorized data access.

📋 TL;DR

This SQL injection vulnerability in the CM Popup Plugin for WordPress allows attackers to execute arbitrary SQL commands through unsanitized user input. It affects all WordPress sites using CM Popup Plugin versions up to 1.5.10. Successful exploitation could lead to database compromise and unauthorized data access.

💻 Affected Systems

Products:

CreativeMindsSolutions CM Popup Plugin for WordPress

Versions: All versions up to and including 1.5.10

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions regardless of configuration.

📦 What is this software?

Cm Popup by Cminds

View all CVEs affecting Cm Popup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion; potential privilege escalation to WordPress administrator; possible server compromise through SQL command execution.

🟠

Likely Case

Unauthorized access to sensitive WordPress database content including user credentials, posts, comments, and plugin data; potential for data exfiltration or modification.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection; database remains protected with minimal exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities in WordPress plugins are commonly exploited; public details available through Patchstack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.11 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/cm-pop-up-banners/wordpress-cm-pop-up-banners-for-wordpress-plugin-1-5-10-sql-injection-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'CM Pop Up Banners for WordPress'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.5.11+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the CM Popup Plugin until patched

wp plugin deactivate cm-pop-up-banners

Web Application Firewall (WAF)

all

Implement WAF rules to block SQL injection patterns

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in custom code
Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for CM Pop Up Banners version

Check Version:

wp plugin get cm-pop-up-banners --field=version

Verify Fix Applied:

Confirm plugin version is 1.5.11 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP
Unexpected database errors in WordPress logs

Network Indicators:

SQL injection patterns in HTTP requests
Unusual outbound database connections

SIEM Query:

source="wordpress.log" AND "cm-pop-up-banners" AND ("database error" OR "SQL syntax")

📊 Metadata

CVE ID: CVE-2023-30750

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

Published: December 20, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30750, you might also want to check these: