Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-0434

CWE-89SQL Injection5 documents5 sources
Severity
9.8CRITICAL
EPSS
87.7%
top 0.53%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Page View CountA3rev Page View Count
Timeline
PublishedMar 7
Latest updateMar 8

Description

The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDa3rev/page_view_count< 2.4.15
CVEListV5unknown/page_view_count2.4.152.4.15

🔴Vulnerability Details

3
GHSA
GHSA-qhcq-6xcp-843h: The Page View Count WordPress plugin before 22022-03-08
CVEList
Page Views Count < 2.4.15 - Unauthenticated SQL Injection2022-03-07
VulnCheck
a3rev page_view_count Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')2022

💥Exploits & PoCs

1
Nuclei
WordPress Page Views Count <2.4.15 - SQL Injection
CVE-2022-0434 (CRITICAL CVSS 9.8) | The Page View Count WordPress plugi | cvebase.io