cbcvebase.
CVE-2022-4117
published 2022-12-26

CVE-2022-4117: The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.96%
91.1th percentile
The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
iws-geo-form-fields_projectiws-geo-form-fields<= 1.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=iws_gff_fetch_states
commandcountry_id=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(6)))b)
  • Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=iws_gff_fetch_states — this AJAX action is available to unauthenticated users and is the attack vector for the SQL injection.
  • Look for time-based blind SQLi payloads in the country_id POST parameter, specifically patterns containing SLEEP() or similar time-delay functions injected into the value.
  • A successful exploitation response returns HTTP 200 with a JSON body containing both '"status":200' and '{"html":' — monitor for these response patterns paired with anomalous request durations (>=6 seconds).
  • The vulnerability affects IWS Geo Form Fields plugin through version 1.0; upgrade to version 1.1 or later or apply the vendor patch.
  • ·The proof-of-concept uses a SLEEP(6) time-based blind SQLi payload with a 15-second request timeout; detection rules relying solely on response time thresholds may produce false positives on slow servers — correlate with the specific action parameter and payload pattern.
  • ·The AJAX action iws_gff_fetch_states requires no authentication (PR:N), meaning any unauthenticated network request can trigger the injection — no session or nonce validation is enforced by the vulnerable plugin.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.