CVE-2023-39560

CRITICAL NUCLEI

ECTouch v2 - SQL Injection via $arr['id'] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-39560. PoCs published by halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for multiple CVEs, including CVE-2023-39560, demonstrating vulnerabilities such as remote file inclusion, path traversal, and unauthorized file deletion. Each PoC includes specific HTTP requests or commands to exploit the vulnerabilities.

Description

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.

Exploits (1)

github WORKING POC 4 stars
by halilkirazkaya · poc
https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2023/CVE-2023-39560.md

The repository contains functional exploit code for multiple CVEs, including CVE-2023-39560, demonstrating vulnerabilities such as remote file inclusion, path traversal, and unauthorized file deletion. Each PoC includes specific HTTP requests or commands to exploit the vulnerabilities.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Various (WordPress plugins, QNAP Photo Station, IBM Data Risk Manager, etc.)
No auth needed
Prerequisites: Network access to the target system
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

ECTouch v2 - SQL Injection
CRITICALVERIFIEDby s4e-io
FOFA: icon_hash="127711143"

References (1)

Core 1
Core References
Exploit, Third Party Advisory
https://github.com/Luci4n555/cve_ectouch

Scores

CVSS v3 9.8
EPSS 0.0411
EPSS Percentile 89.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
ectouch/ectouch 2.0
Published Aug 28, 2023
Tracked Since Feb 18, 2026