CVE-2022-0788
published 2022-06-08CVE-2022-0788: The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.88%
94.0th percentile
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpmet | fundengine | < 1.5.0 | 1.5.0 |
Detection & IOCsextracted from sources · hover to see the quote
otherstatus_code == 200 AND contains(content_type, "application/json") AND contains(body, "Invalid payment.")
other=6'
bytes
4a0a00473045022100e9719d9116ca714578ad01162015b876c95c8fbd425a3f8bb36c028d429f46a0022012a58487654843f8ae892f691b1b6e027c4b90e0ee40004c3109bb6aabbbcb3d:922c64590222798bb761d5b6d8e72950
- →The SQLi is exploitable by unauthenticated users via one of the plugin's REST routes. Monitor REST API requests to WP Fundraising plugin endpoints for SQL injection payloads (e.g., quote characters in parameters). ↗
- →A successful exploitation attempt returns HTTP 200 with Content-Type application/json and body containing the string 'Invalid payment.' — use this as a detection fingerprint in WAF/IDS rules.
- ·Vulnerability affects WP Fundraising Donation and Crowdfunding Platform plugin versions before 1.5.0 only. Ensure version scope is confirmed before deploying detections to avoid false positives on patched installs. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2022-0788 [CRITICAL] WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
WordPress WP Fundraising Donation and Crowdfunding Platform =6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "Invalid payment.")'
condition: and
# digest: 4a0a00473045022100e9719d9116ca714578ad01162015b876c95c8fbd425a3f8bb36c028d429f46a0022012a58487654843f8ae892f691b1b6e027c4b90e0ee40004c3109bb6aabbbcb3d:922c64590222798bb761d5b6d8e72950
2022-06-08
Published