CVE-2022-3865 — SQL Injection in User Merger Project WP User Merger

CWE-89 — SQL Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 27.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

WP User Merger Project WP User Merger

Timeline

PublishedNov 28

Description

The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDwp_user_merger_project/wp_user_merger< 1.5.3

🔴Vulnerability Details

CVEList

WP User Merger < 1.5.3 - Admin+ SQLi via ID↗2022-11-28

▶

GHSA

GHSA-9ff9-jpcp-gg2m: The WP User Merger WordPress plugin before 1↗2022-11-28

▶