CVE-2023-1730

CRITICAL NUCLEI

SupportCandy WP <3.1.5 - SQL Injection

Title source: llm

Description

The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks

Nuclei Templates (1)

SupportCandy < 3.1.5 - Unauthenticated SQL Injection

CRITICALVERIFIEDby theamanrawat

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/44b51a56-ff05-4d50-9327-fc9bab74d4b7

Scores

CVSS v3 9.8

EPSS 0.8180

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

supportcandy/supportcandy < 3.1.5

Published May 02, 2023

Tracked Since Feb 18, 2026