CVE-2023-54359

WordPress adivaha Travel Plugin 2.3 SQL Injection via pid

CVSS 8.8 HIGHEPSS 0.3%CWE-89

WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid' values using XOR-based payloads to extract sensitive database information or cause denial of service.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Adivaha · WordPress adivaha Travel Plugin

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/51655unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wordpress.org/plugins/adiaha-hotel/https://www.adivaha.com/https://www.exploit-db.com/exploits/51655 https://www.vulncheck.com/advisories/wordpress-adivaha-travel-plugin-sql-injection-via-pid