Cyr to Lat < 3.7 – Editor+ SQL Injection | CVE 2022-4290 | Plugin Vulnerabilities

Description

The plugin is vulnerable to authenticated SQL Injection via the 'ctl_sanitize_title' function in versions up to, and including, 3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This potentially allows authenticated users with the ability to add or modify terms or tags to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. A partial patch became available in version 3.6 and the issue was fully patched in version 3.7.

Proof of Concept

Visit Posts > Categories and add a new Category with the following name:

Testing!' UNION SELECT SLEEP(10) #

Notice that the request takes 10 seconds because of the SQL injection.

Affects Plugins

Fixed in 3.7

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Verified

Yes

WPVDB ID

78f11668-9d44-4394-ac22-05a3c8716747

Timeline

Publicly Published

2023-04-13 (about 2 years ago)

Added

2023-10-20 (about 2 years ago)

Last Updated

2023-10-20 (about 2 years ago)

Other

Published

Title

Published

2023-11-06

Title

Coming Soon < 1.6.0 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Published

2025-06-02

Title

Ultimate Gift Cards for WooCommerce < 3.1.5 - Authenticated (Administrator+) SQL Injection via wps_wgm_save_post Function

Published

2024-03-26

Title

Contact Form to Any API < 1.1.9 - Authenticated (Subscriber+) SQL Injection

Published

2025-11-07

Title

Quick Featured Images < 13.7.4 - Authenticated (Editor+) SQL Injection via delete_orphaned

Published

2023-10-30

Title

Jquery accordion slideshow < 8.2 - Authenticated (Subscriber+) SQL Injection via Shortcode