Cyber Resilience

CVE-2022-0349

CriticalPublic PoC

Published: 07 March 2022

Published
07 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6151 98.4th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0349 is a critical-severity SQL Injection (CWE-89) vulnerability in Wpdeveloper Notificationx. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The NotificationX WordPress plugin before version 2.3.9 contains an unauthenticated blind SQL injection vulnerability (CWE-89) caused by missing sanitization and escaping of the nx_id parameter before it is used in a SQL statement. The flaw affects any site running the affected plugin and carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack complexity with no required authentication or user interaction.

An unauthenticated remote attacker can supply a crafted nx_id value to extract or manipulate database contents, potentially leading to full compromise of the confidentiality, integrity Availability of the WordPress site and its data.

The referenced WPScan advisory at https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a identifies the issue and indicates that sites should update to NotificationX 2.3.9 or later to eliminate the vulnerable code path. The associated EPSS score has remained at 0.6151 since disclosure with no material increase observed.

EU & UK References

Vulnerability details

The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpdeveloper
notificationx
≤ 2.3.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References