CVE-2022-22735

🗓️ 14 Mar 2022 14:41:54Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 143 Views🌐 WEB

The Simple Quotation WordPress plugin through 1.3.2 is vulnerable to SQL injection

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2022-22735	14 Mar 202215:15	–	attackerkb
Circl	CVE-2022-22735	14 Mar 202217:18	–	circl
CNNVD	WordPress plugin Simple Quotation SQL注入漏洞	14 Mar 202200:00	–	cnnvd
CNVD	WordPress Simple Quotation plugin SQL injection vulnerability	16 Mar 202200:00	–	cnvd
Cvelist	CVE-2022-22735 Simple Quotation <= 1.3.2 - Subscriber+ SQL injection	14 Mar 202214:41	–	cvelist
EUVD	EUVD-2022-27878	3 Oct 202520:07	–	euvd
NVD	CVE-2022-22735	14 Mar 202215:15	–	nvd
Patchstack	WordPress Simple Quotation plugin <= 1.3.2 - SQL injection (SQLi) vulnerability	17 Feb 202200:00	–	patchstack
Prion	Design/Logic Flaw	14 Mar 202215:15	–	prion
RedhatCVE	CVE-2022-22735	22 May 202523:50	–	redhatcve

NVD

Vulners

Node

sedlex simple_quotationRange≤1.3.2wordpress

[
  {
    "product": "Simple Quotation",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "1.3.2",
        "status": "affected",
        "version": "1.3.2",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/6940a97e-5a75-405c-be74-bedcc3a8ee00

Parameter	Position	Path	Description	CWE
action	request body	wp-admin/admin-ajax.php	The Simple Quotation WordPress plugin (up to 1.3.2) lacks authorization/CSRF checks and escapes user data in SQL statements, enabling authenticated users (e.g., subscribers) to perform SQL injection via AJAX actions such as delete_link.	CWE-89
idLink	request body	wp-admin/admin-ajax.php	The Simple Quotation WordPress plugin (up to 1.3.2) lacks authorization/CSRF checks and escapes user data in SQL statements, enabling authenticated users (e.g., subscribers) to perform SQL injection via AJAX actions such as delete_link.	CWE-89

21 Nov 2024 06:47Current

9High risk

Vulners AI Score9

CVSS 26.5

CVSS 3.18.8

EPSS0.00703

CWE-89