WordPress Plugin Vulnerabilities

WP Contacts Manager <= 2.2.4 - Unauthenticated SQLi

Description

The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
wp-contacts-manager
No known fix

References

CVE
CVE-2022-1014

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.4 (critical)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
eb9e202d-04aa-4343-86a2-4aa2edaa7f6b

Timeline

Publicly Published
2022-05-02 (about 3 years ago)
Added
2022-05-02 (about 3 years ago)
Last Updated
2022-05-02 (about 3 years ago)

Other

Published
Title
Published
2025-02-03
Title
Payment Forms for Paystack < 4.0.2 - Authenticated (Administrator+) SQL Injection
Published
2022-01-06
Title
WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
Published
2015-04-14
Title
Tune Library <= 1.5.4 - SQL Injection
Published
2019-04-02
Title
WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection
Published
2017-09-02
Title
SQL Shortcode <= 1.1 - Authenticated SQL Execution