CVE-2023-2608 LOW

CVE-2023-2608: Multiple Page Generator Plugin <= 3.3.17 - Cross-Site Request Forgery to SQL Injection

Vendor Themeisle
Product Multiple Page Generator Plugin – MPG
Weakness CWE-352 · CSRF
Published May 17, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries leading to resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link. Version 3.3.18 addresses the SQL Injection, which drastically reduced the severity.

Key dates

02Disclosure timeline

May 17, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-14999 Latest Tabs <= 1.5 - Cross-Site Request Forgery to Plugin's Settings Update CVE-2026-22880 Mobile SSO authentication flow allows credential theft via malicious server CVE-2023-49775 WordPress CSV Importer Plugin <= 0.3.8 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-1506 Wp Social Login and Register Social Counter <= 3.1.0 - Cross-Site Request Forgery to Settings Update CVE-2025-28984 WordPress Subscription Renewal Reminders for WooCommerce plugin <= 1.4.1 - Cross Site Request Forgery (CSRF) vulnerability