How to fix CVE-2023-2921?

Within 24 hours: Audit all WordPress instances for Short URL plugin installation and document affected systems. Within 7 days: Disable or deactivate the Short URL plugin on all WordPress sites pending a vendor patch or alternative solution; notify site administrators and stakeholders of the action. Within 30 days: Monitor vendor updates for a patched version, evaluate alternative URL shortening solutions, and conduct database audit logs for signs of exploitation.

Is PHP affected by CVE-2023-2921?

A critical SQL injection vulnerability in the Short URL WordPress plugin exposes your organization to unauthorized data access and potential database compromise.

CVE-2023-2921

EUVD-2023-34367 HIGH

2025-06-06 [email protected]

WordPress SQLi PHP Short Url

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2023-34367

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

PoC Detected

Jun 10, 2025 - 19:31 vuln.today

Public exploit code

CVE Published

Jun 06, 2025 - 06:15 nvd

HIGH 8.8

DescriptionNVD

The Short URL WordPress plugin through 1.6.8 does not properly sanitise and escape a parameter before using it in SQL statement, leading to a SQL injection exploitable by users with relatively low privilege on the site, like subscribers.

AnalysisAI

The Short URL WordPress plugin through version 1.6.8 contains a SQL injection vulnerability (CWE-89) in an unsanitized parameter used directly in SQL statements. This vulnerability is exploitable by low-privileged users (subscribers), allowing attackers to extract sensitive database information, modify data, or potentially execute arbitrary code. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privilege level, this represents a critical risk to WordPress installations using vulnerable plugin versions.

Technical ContextAI

The vulnerability exists in the Short URL WordPress plugin (CPE: wp:short-url-plugin, affected versions ≤1.6.8), a WordPress plugin that creates shortened URLs for posts and pages. The root cause is improper input validation and parameterization in SQL query construction (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The plugin fails to use prepared statements or properly escape user-supplied input before incorporating it into database queries. WordPress users with subscriber role or higher can inject arbitrary SQL code through an unspecified parameter, bypassing the plugin's access controls. The vulnerability resides in the plugin's core query handling logic, likely in functions that retrieve or process shortened URL data.

RemediationAI

Upgrade Short URL plugin to version 1.6.9 or later; method: WordPress Admin Dashboard → Plugins → Available Updates, or manually download from wordpress.org/plugins/short-url/ Immediate Mitigation: Deactivate and remove Short URL plugin if immediate patching is not possible; method: WordPress Admin Dashboard → Plugins → Deactivate/Delete Access Control: Restrict subscriber role capabilities and audit subscriber account creation; method: Review and limit subscriber-level permissions; implement Web Application Firewall (WAF) rules to detect SQL injection patterns in plugin parameters Detection: Monitor database query logs and WordPress logs for suspicious SQL patterns; method: Enable WordPress debug logging; review database slow query logs and error logs for injection attempts

CVE-2023-2921 vulnerability details – vuln.today

Back

CVE-2023-2921

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code