CVE-2023-2805
SupportCandy < 3.1.7 - Admin+ SQLiThe SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
We have discovered 370 live websites that are affected by CVE-2023-2805.
Affected Software
| Product |  Supportcandy |
| Category | Wordpress Plugins |
| Vulnerable Domains | 370 live websites (18% of Supportcandy install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 26 versions ( 50% of all versions) |
Common Weakness Enumeration
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Details
- Published - Jun 19, 2023
- Updated - Dec 9, 2024
Credits
- dc11 (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2023-2805 United States | 86 websites |
 Italy | 41 websites |
 Germany | 29 websites |
 Iran | 24 websites |
 Russia | 20 websites |
 GB | 18 websites |
 Brazil | 16 websites |
 France | 16 websites |
 Spain | 11 websites |
 Australia | 9 websites |
Website Distribution by TLD
Number of websites using CVE-2023-2805| .com | 135 websites |
| .it | 31 websites |
| .ru | 18 websites |
| .com.br | 17 websites |
| .net | 11 websites |
| .org | 10 websites |
| .de | 8 websites |
| .pl | 6 websites |
| .com.au | 5 websites |
| .eu | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-2805
Top websites that are affected by CVE-2023-2805. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.app |  Bulgaria | **,*** | |
| ****************.com | GB | **,*** | |
| ********.pt | United States | **,*** | |
| *****.sv |  El Salvador | ***,*** | |
| *****************.com | United States | ***,*** | |
| ***********.com | United States | ***,*** | |
| *********.com | United States | ***,*** | |
| *********.de | Germany | ***,*** | |
| ************.***.au | Australia | ***,*** | |
| ************.com | United States | ***,*** |
FAQ
CVE-2023-2805 is Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Supportcandy
A total of 370 websites have been identified as vulnerable to CVE-2023-2805, based on global website indexing conducted by WebTechSurvey.
The Supportcandy is affected by the CVE-2023-2805 vulnerability.
Supportcandy versions up to 3.1.7 are vulnerable to CVE-2023-2805.
CVE-2023-2805 is resolved in version 3.1.7 of Supportcandy.