CVE-2022-4049
published 2023-01-02CVE-2022-4049: The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.76%
90.8th percentile
The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp_user_project | wp_user | <= 7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
other"wpuser_update_setting":"([0-9a-zA-Z]+)"
- →HTTP response status code 200 with Content-Type text/html and body containing 'Invalid Access' indicates a potentially vulnerable WP User plugin endpoint responding to unauthenticated SQL injection probe.
- →Extract the wpuser_update_setting nonce value from the response body using the regex pattern '"wpuser_update_setting":"([0-9a-zA-Z]+)"' — this nonce is required to craft the unauthenticated SQL injection request.
- →The vulnerability is exploitable by unauthenticated users via unsanitized parameter passed directly into a SQL statement in the WP User WordPress plugin through version 7.0. ↗
- ·The probe targets WP User plugin version 7.0 and below; the condition checks for 'Invalid Access' in the response body as a fingerprint of the vulnerable plugin.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WP User <= 7.0 - Unauthenticated SQLi
nuclei·CVSS 9.8
CVE-2022-4049 [CRITICAL] WP User <= 7.0 - Unauthenticated SQLi
WP User =6
- status_code == 200
- contains(header_2, "text/html")
- contains(body_2, 'Invalid Access')
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- '"wpuser_update_setting":"([0-9a-zA-Z]+)"'
internal: true
# digest: 490a00463044022009a4f21fdfe6f38959e36c629f9d05440652833e62c61c4f5471ad7993a04da2022043416e4278dbcad1aed47c0a9bb7e8817585a8b1e1b3a694eefc8597c5873da9:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-01-02
Published