cbcvebase.
CVE-2022-0817
published 2022-05-09

CVE-2022-0817: The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.48%
95.5th percentile
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users

Affected

1 ranges
VendorProductVersion rangeFixed in
badgeosbadgeos<= 3.7.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=get-achievements&total_only=true&user_id=11 UNION ALL SELECT NULL,CONCAT(1,md5(999999999),1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
  • Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=get-achievements and SQL UNION injection in the user_id parameter
  • Successful exploitation returns HTTP 200 with Content-Type application/json, body containing md5 hash output and the string 'badgeos-arrange-buttons'
  • The SQL injection is exploitable by unauthenticated users via the AJAX action get-achievements; monitor for UNION-based payloads in the user_id POST parameter
  • ·Vulnerability affects BadgeOS WordPress plugin through version 3.7.0; version 3.7.1 and above are patched

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.