CVE-2023-54359

Name of the Vulnerable Software and Affected Versions WordPress adivaha Travel Plugin version 2.3

Description The adivaha Travel Plugin for WordPress version 2.3 contains a time-based blind SQL injection vulnerability. Unauthenticated attackers can manipulate database queries by injecting SQL code through the pid GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted pid values using XOR-based payloads to extract sensitive database information or cause denial of service.

Recommendations Update WordPress adivaha Travel Plugin to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /mobile-app/v3/ endpoint.