{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5082", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2023-09-19T21:13:44.430Z", "datePublished": "2023-11-06T20:40:37.134Z", "dateUpdated": "2023-11-06T20:40:37.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2023-11-06T20:40:37.134Z"}, "title": "History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection", "problemTypes": [{"descriptions": [{"description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "History Log by click5", "versions": [{"status": "affected", "versionType": "custom", "version": "0", "lessThan": "1.0.13"}], "defaultStatus": "unaffected", "collectionURL": "https://wordpress.org/plugins"}], "descriptions": [{"lang": "en", "value": "The History Log by click5 WordPress plugin before 1.0.13 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it."}], "references": [{"url": "https://wpscan.com/vulnerability/13a196ba-49c7-4575-9a49-3ef9eb2348f3", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Karolis Narvilas", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:click5interactive:sitemap_by_click5:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "004DD77B-6196-4119-96EA-4CA3CE24FC50", "versionEndExcluding": "1.0.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The History Log by click5 WordPress plugin before 1.0.13 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it."}, {"lang": "es", "value": "El complemento History Log by click5 para Wordpress anterior a 1.0.13 no sanitiza ni escapa adecuadamente un par\u00e1metro antes de usarlo en una declaraci\u00f3n SQL, lo que genera una inyecci\u00f3n de SQL explotable por los usuarios administradores cuando usan el complemento Smash Balloon Social Photo Feed junto con \u00e9l."}], "id": "CVE-2023-5082", "lastModified": "2023-11-14T15:33:18.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-06T21:15:09.517", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/13a196ba-49c7-4575-9a49-3ef9eb2348f3"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}