CVE-2023-46084 – This SQL injection vulnerability in the WordPre... (How to Fix)

Q: What is the severity of CVE-2023-46084?

CVE-2023-46084 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in the WordPress Icons Font Loader plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites using versions 1.1.2 and earlier of the plugin. Attackers can potentially access, modify, or delete database content.

📋 TL;DR

This SQL injection vulnerability in the WordPress Icons Font Loader plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites using versions 1.1.2 and earlier of the plugin. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:

WordPress Icons Font Loader plugin

Versions: 1.1.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable plugin version. Subscriber-level access needed for exploitation.

📦 What is this software?

Icons Font Loader by Bplugins

View all CVEs affecting Icons Font Loader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, privilege escalation to administrator, and potential website defacement or takeover.

🟠

Likely Case

Unauthorized data access including user credentials, sensitive content, and plugin/theme configurations.

🟢

If Mitigated

Limited impact with proper input validation and database user permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires subscriber-level WordPress access. SQL injection is well-understood with many available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.3 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/icons-font-loader/wordpress-icons-font-loader-plugin-1-1-2-subscriber-sql-injection-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Icons Font Loader. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.1.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Icons Font Loader plugin until patched

wp plugin deactivate icons-font-loader

Restrict user registration

all

Disable new user registration to prevent attacker account creation

Settings > General > Membership: Uncheck 'Anyone can register'

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict database user permissions to SELECT only for plugin operations

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Icons Font Loader version. If version is 1.1.2 or earlier, you are vulnerable.

Check Version:

wp plugin get icons-font-loader --field=version

Verify Fix Applied:

Verify plugin version is 1.1.3 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP
Unexpected database schema changes

Network Indicators:

SQL syntax in HTTP POST parameters
Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND "icons-font-loader" AND ("SELECT" OR "UNION" OR "INSERT" OR "DELETE")

📊 Metadata

CVE ID: CVE-2023-46084

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 6, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46084, you might also want to check these: