CVE-2022-3849 — SQL Injection in User Merger Project WP User Merger

CWE-89 — SQL Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 33.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

WP User Merger Project WP User Merger

Timeline

PublishedNov 28

Description

The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDwp_user_merger_project/wp_user_merger< 1.5.3

🔴Vulnerability Details

GHSA

GHSA-3g68-h29c-7326: The WP User Merger WordPress plugin before 1↗2022-11-28

▶

CVEList

WP User Merger < 1.5.3 - Admin+ SQLi via user_id↗2022-11-28

▶