cbcvebase.
CVE-2022-4297
published 2023-01-02

CVE-2022-4297: The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.60%
88.0th percentile
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection

Affected

1 ranges
VendorProductVersion rangeFixed in
netflixtechwp_autocomplete_search<= 1.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]
path/wp-admin/admin-ajax.php
otheraction=wi_get_search_results
  • Monitor unauthenticated POST/GET requests to /wp-admin/admin-ajax.php with the AJAX action parameter 'wi_get_search_results' — this is the vulnerable endpoint exposed to unauthenticated users.
  • Inspect the 'q' query parameter in requests to admin-ajax.php?action=wi_get_search_results for SQL injection payloads — this is the unsanitised parameter directly interpolated into SQL.
  • Alert on requests to admin-ajax.php carrying both 'action=wi_get_search_results' and SQL metacharacters (quotes, comment sequences, UNION/SELECT keywords) in the 'q' parameter.
  • ·The vulnerability affects WP AutoComplete Search plugin versions up to and including 1.0.4 only; verify the installed plugin version before applying detections to avoid false positives on patched installations.
  • ·The exploit requires a valid 'security' nonce value in the request; however, since the endpoint is unauthenticated, attackers may be able to obtain the nonce from the public-facing WordPress page that loads the autocomplete widget.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.