cbcvebase.
CVE-2022-0788
published 2022-06-08

CVE-2022-0788: The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.88%
94.0th percentile
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users

Affected

1 ranges
VendorProductVersion rangeFixed in
wpmetfundengine< 1.5.01.5.0

Detection & IOCsextracted from sources · hover to see the quote

otherstatus_code == 200 AND contains(content_type, "application/json") AND contains(body, "Invalid payment.")
other=6'
bytes
4a0a00473045022100e9719d9116ca714578ad01162015b876c95c8fbd425a3f8bb36c028d429f46a0022012a58487654843f8ae892f691b1b6e027c4b90e0ee40004c3109bb6aabbbcb3d:922c64590222798bb761d5b6d8e72950
  • The SQLi is exploitable by unauthenticated users via one of the plugin's REST routes. Monitor REST API requests to WP Fundraising plugin endpoints for SQL injection payloads (e.g., quote characters in parameters).
  • A successful exploitation attempt returns HTTP 200 with Content-Type application/json and body containing the string 'Invalid payment.' — use this as a detection fingerprint in WAF/IDS rules.
  • ·Vulnerability affects WP Fundraising Donation and Crowdfunding Platform plugin versions before 1.5.0 only. Ensure version scope is confirmed before deploying detections to avoid false positives on patched installs.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.