CVE-2023-3077 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-3077?

CVE-2023-3077 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to perform blind SQL injection attacks on WordPress sites using the MStore API plugin before version 3.9.8. The attack is only possible if the site owner has purchased pro features and also uses the woocommerce-appointments plugin. Successful exploitation could lead to database compromise and data theft.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform blind SQL injection attacks on WordPress sites using the MStore API plugin before version 3.9.8. The attack is only possible if the site owner has purchased pro features and also uses the woocommerce-appointments plugin. Successful exploitation could lead to database compromise and data theft.

💻 Affected Systems

Products:

MStore API WordPress plugin

Versions: All versions before 3.9.8

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when both conditions are met: 1) Site owner has purchased pro features, 2) woocommerce-appointments plugin is installed and active.

📦 What is this software?

Mstore Api by Inspireui

View all CVEs affecting Mstore Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data exfiltration, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Data theft from the WordPress database including user credentials, payment information, and appointment details.

🟢

If Mitigated

No impact if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Blind SQL injection requires time-based or boolean-based techniques but is well-documented and automated tools exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.8

Vendor Advisory: https://wpscan.com/vulnerability/9480d0b5-97da-467d-98f6-71a32599a432

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MStore API plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.9.8+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

linux

Temporarily disable MStore API plugin until patched

wp plugin deactivate mstore-api

Web Application Firewall rule

all

Block SQL injection patterns targeting MStore API endpoints

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in custom code
Deploy web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → MStore API version. If version is below 3.9.8 and both pro features and woocommerce-appointments are active, site is vulnerable.

Check Version:

wp plugin get mstore-api --field=version

Verify Fix Applied:

Confirm MStore API plugin version is 3.9.8 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in WordPress debug logs
Multiple failed login attempts from single IP
Long response times from API endpoints suggesting time-based SQLi

Network Indicators:

HTTP requests with SQL injection payloads to /wp-json/mstore/* endpoints
Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND ("SQL syntax" OR "mysql_error" OR "wp_mstore")

📊 Metadata

CVE ID: CVE-2023-3077

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: July 10, 2023

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/9480d0b5-97da-467d-98f6-71a32599a432 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/9480d0b5-97da-467d-98f6-71a32599a432 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON