cbcvebase.
CVE-2022-3768
published 2022-11-28

CVE-2022-3768: The WPSmartContracts WordPress plugin before 1.3.12 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.66%
88.2th percentile
The WPSmartContracts WordPress plugin before 1.3.12 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author

Affected

1 ranges
VendorProductVersion rangeFixed in
wpsmartcontractswpsmartcontracts< 1.3.121.3.12

Detection & IOCsextracted from sources · hover to see the quote

sigma
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "Batch Mint NFTs")'
  • The SQL injection is exploitable by low-privileged users (author role and above); monitor for anomalous SQL query patterns originating from authenticated low-privilege WordPress accounts interacting with the WPSmartContracts plugin.
  • Detection fingerprint for vulnerable WPSmartContracts installations: HTTP 200 response with content-type text/html containing the string 'Batch Mint NFTs' in the body.
  • Target plugin version range: WPSmartContracts versions prior to 1.3.12 are vulnerable; flag installations running these versions.
  • ·The nuclei/detection template digest should be validated before operational use to ensure template integrity.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.