Login Sign Up

CVE-2023-41507

9.8 CRITICAL
SQL Injection

📋 TL;DR

Super Store Finder v3.6 contains SQL injection vulnerabilities in its store locator component that allow attackers to execute arbitrary SQL commands via the products, distance, lat, and lng parameters. This affects all websites running the vulnerable version of the plugin. Attackers can potentially read, modify, or delete database content.

💻 Affected Systems

Products:
  • Super Store Finder
Versions: v3.6 and possibly earlier versions
Operating Systems: All platforms running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects WordPress websites using the Super Store Finder plugin. The vulnerability is in the store locator component.

📦 What is this software?

Super Store Finder by Superstorefinder

View all CVEs affecting Super Store Finder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Database information disclosure, data manipulation, or authentication bypass leading to unauthorized access.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via multiple parameters makes exploitation straightforward. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor patch notes for specific version

Vendor Advisory: https://superstorefinder.net/support/forums/topic/super-store-finder-patch-notes/

Restart Required: No

Instructions:

1. Update Super Store Finder plugin to latest patched version. 2. Verify update in WordPress admin panel. 3. Test store locator functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize products, distance, lat, and lng parameters

Implement parameterized queries or prepared statements in PHP code

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts on affected parameters

🧯 If You Can't Patch

  • Disable or remove the Super Store Finder plugin temporarily
  • Implement strict input validation and output encoding at application layer

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for Super Store Finder plugin version. If version is 3.6 or earlier, assume vulnerable.

Check Version:

Check WordPress admin > Plugins > Super Store Finder version

Verify Fix Applied:

Update plugin and test store locator functionality with SQL injection test payloads to confirm protection.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed parameter validation attempts
  • Suspicious patterns in web server access logs (SQL keywords in parameters)

Network Indicators:

  • SQL injection payloads in HTTP requests to store locator endpoints
  • Unusual database connection patterns

SIEM Query:

Search web logs for patterns like: products=*SQL* OR distance=*SQL* OR lat=*SQL* OR lng=*SQL*

📊 Metadata

CVE ID: CVE-2023-41507
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: September 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41507, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)