CVE-2022-0814
published 2022-05-09CVE-2022-0814: The Ubigeo de Perú para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and escape some parameters before using them in SQL statements via…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.91%
94.6th percentile
The Ubigeo de Perú para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ubigeo_de_peru_para_woocommerce_project | ubigeo_de_peru_para_woocommerce | < 3.6.4 | 3.6.4 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users#↗
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the AJAX action parameter 'rt_ubigeo_load_distritos_address' and SQL UNION payloads in the 'idProv' parameter. ↗
- →Identify vulnerable WordPress installations by searching for the plugin path '/wp-content/plugins/ubigeo-peru/' in HTTP response bodies (Shodan: http.html:/wp-content/plugins/ubigeo-peru/, FOFA: body=/wp-content/plugins/ubigeo-peru/). ↗
- →Successful exploitation responses contain the JSON keys 'idProv', 'idDist', and 'distrito' in the HTTP response body with a 200 status code and text/html content-type header. ↗
- →The vulnerability is exploitable by unauthenticated users via AJAX actions; no authentication cookies or nonces are required in the POST request. ↗
- ·Multiple AJAX actions are vulnerable, not just 'rt_ubigeo_load_distritos_address'. The template only demonstrates one; defenders should monitor all AJAX actions exposed by the plugin for SQL injection patterns. ↗
- ·The fix is available in version 3.6.4; installations running any version below 3.6.4 of the Ubigeo de Perú para Woocommerce plugin are affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Ubigeo de Peru < 3.6.4 - SQL Injection
nuclei·CVSS 9.8
CVE-2022-0814 [CRITICAL] Ubigeo de Peru < 3.6.4 - SQL Injection
Ubigeo de Peru < 3.6.4 - SQL Injection
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
Template:
id: CVE-2022-0814
info:
name: Ubigeo de Peru < 3.6.4 - SQL Injection
author: r3Y3r53
severity: critical
description: |
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
impact: |
Unauthenticated attackers can exploit SQL injection via AJAX actions to extract usernames and password hashes from the WordPress database.
remediation: Fixed in version 3.6.4
reference:
- https://wpscan
2022-05-09
Published