Lucene search

K
cveWPScanCVE-2022-4117
HistoryDec 26, 2022 - 1:15 p.m.

CVE-2022-4117

2022-12-2613:15:12
WPScan
web.nvd.nist.gov
40
cve-2022-4117
iws plugin
wordpress
unauthenticated
sql injection
nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.068

Percentile

94.0%

The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.

Affected configurations

Nvd
Vulners
Node
iws-geo-form-fields_projectiws-geo-form-fieldsRange1.0wordpress
VendorProductVersionCPE
iws-geo-form-fields_projectiws-geo-form-fields*cpe:2.3:a:iws-geo-form-fields_project:iws-geo-form-fields:*:*:*:*:*:wordpress:*:*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "IWS",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThanOrEqual": "1.0"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.068

Percentile

94.0%

Related for CVE-2022-4117