Cyber Resilience

CVE-2022-0412

CriticalPublic PoC

Published: 28 February 2022

Published
28 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8586 99.4th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0412 is a critical-severity SQL Injection (CWE-89) vulnerability in Templateinvaders Ti Woocommerce Wishlist. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The TI WooCommerce Wishlist and TI WooCommerce Wishlist Pro WordPress plugins before version 1.40.1 contain an SQL injection vulnerability tracked as CVE-2022-0412. The flaw stems from missing sanitization and escaping of the item_id parameter when it is passed to a SQL statement through the wishlist/remove_product REST endpoint, corresponding to CWE-89. The issue received a CVSS 3.1 score of 9.8.

Unauthenticated attackers can reach the vulnerable endpoint over the network and supply crafted input to execute arbitrary SQL queries. Successful exploitation can result in full compromise of the confidentiality, integrity, and availability of the affected WordPress site and its database.

The official patches referenced in the WordPress plugin repository update both the free and Pro editions to version 1.40.1, adding proper input handling for the item_id parameter. Administrators are advised to apply the update promptly; the WPScan advisory entry also documents the same remediation steps.

The associated EPSS score currently stands at 0.8586 with a recorded peak of 0.8793, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to…

more

perform SQL injection attacks

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

templateinvaders
ti woocommerce wishlist
≤ 1.40.1 · ≤ 1.40.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References