CVE-2022-0412
Published: 28 February 2022
Summary
CVE-2022-0412 is a critical-severity SQL Injection (CWE-89) vulnerability in Templateinvaders Ti Woocommerce Wishlist. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The TI WooCommerce Wishlist and TI WooCommerce Wishlist Pro WordPress plugins before version 1.40.1 contain an SQL injection vulnerability tracked as CVE-2022-0412. The flaw stems from missing sanitization and escaping of the item_id parameter when it is passed to a SQL statement through the wishlist/remove_product REST endpoint, corresponding to CWE-89. The issue received a CVSS 3.1 score of 9.8.
Unauthenticated attackers can reach the vulnerable endpoint over the network and supply crafted input to execute arbitrary SQL queries. Successful exploitation can result in full compromise of the confidentiality, integrity, and availability of the affected WordPress site and its database.
The official patches referenced in the WordPress plugin repository update both the free and Pro editions to version 1.40.1, adding proper input handling for the item_id parameter. Administrators are advised to apply the update promptly; the WPScan advisory entry also documents the same remediation steps.
The associated EPSS score currently stands at 0.8586 with a recorded peak of 0.8793, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15556
Vulnerability details
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to…
more
perform SQL injection attacks
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.