平台
wordpress
组件
wordpress
修复版本
2.3.1
CVE-2023-54359 describes a time-based blind SQL injection vulnerability discovered in the adivaha Travel Plugin for WordPress. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting malicious SQL code through the 'pid' GET parameter of the /mobile-app/v3/ endpoint. The vulnerability impacts versions prior to 2.4 and requires no authentication to exploit. A fix is available in version 2.4 of the plugin.
Successful exploitation of CVE-2023-54359 allows an attacker to extract sensitive data stored within the WordPress database. This could include user credentials, customer information, and potentially other confidential data depending on the plugin’s configuration and data storage practices. The time-based nature of the injection means data extraction is a slower process, but it doesn't prevent an attacker from systematically querying the database. Beyond data exfiltration, the attacker could also potentially cause a denial of service by injecting SQL code that disrupts database operations or corrupts data. The lack of authentication required significantly broadens the attack surface, making the vulnerability particularly concerning.
CVE-2023-54359 was published on 2026-04-09. Its severity is considered HIGH (CVSS 8.2). Currently, there are no publicly known active campaigns exploiting this vulnerability, but the ease of exploitation and lack of authentication make it a potential target. No KEV or EPSS score is currently available. Monitor security advisories and threat intelligence feeds for updates.
漏洞利用状态
EPSS
0.08% (24% 百分位)
CVSS 向量
The primary mitigation for CVE-2023-54359 is to immediately upgrade the adivaha Travel Plugin to version 2.4 or later, which contains the necessary fix. If upgrading is not immediately feasible, implement a Web Application Firewall (WAF) rule to filter requests to the /mobile-app/v3/ endpoint that contain suspicious characters or patterns in the 'pid' parameter. Specifically, look for XOR-based payloads or other SQL injection attempts. Consider using a WordPress security plugin with SQL injection protection capabilities. After upgrading, confirm the vulnerability is resolved by attempting a controlled injection test on the /mobile-app/v3/ endpoint with a benign SQL query.
Actualice el plugin adivaha Travel a la última versión disponible para mitigar la vulnerabilidad de inyección SQL ciega basada en tiempo. Si no hay una versión actualizada disponible, considere deshabilitar o eliminar el plugin hasta que se publique una actualización segura.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2023-54359 is a HIGH severity SQL Injection vulnerability affecting the adivaha Travel Plugin for WordPress. It allows unauthenticated attackers to manipulate database queries via the 'pid' GET parameter, potentially leading to data theft or denial of service.
You are affected if you are using the adivaha Travel Plugin for WordPress in a version prior to 2.4. Check your plugin version and upgrade immediately if necessary.
Upgrade the adivaha Travel Plugin to version 2.4 or later. As a temporary workaround, implement a WAF rule to filter suspicious requests to the /mobile-app/v3/ endpoint.
Currently, there are no publicly known active campaigns exploiting this vulnerability, but its ease of exploitation makes it a potential target.
Refer to the official adivaha Travel Plugin website and the WordPress plugin repository for updates and advisories related to CVE-2023-54359.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。