cbcvebase.
CVE-2022-0948
published 2022-05-09

CVE-2022-0948: The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.79%
94.9th percentile
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection

Affected

1 ranges
VendorProductVersion rangeFixed in
pluginbazaarorder_listener_for_woocommerce< 3.2.23.2.2

Detection & IOCsextracted from sources · hover to see the quote

otherolistener-action.olistener-controller
sigma
condition: and
- 'status_code_1 == 200'
- 'contains(content_type_1, "application/json")'
- 'contains(body_2, "olistener-action.olistener-controller")'
  • The vulnerable REST route is accessible to unauthenticated users; monitor for unauthenticated REST API requests targeting the Order Listener for WooCommerce plugin endpoint containing the 'id' parameter with SQL injection payloads.
  • Fingerprint exploitation attempts by detecting HTTP responses with status 200, content-type 'application/json', and response body containing the string 'olistener-action.olistener-controller'.
  • ·The nuclei/detection template digest should be validated before deployment to ensure template integrity.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.