CVE-2022-0827
Published: 13 June 2022
Summary
CVE-2022-0827 is a critical-severity SQL Injection (CWE-89) vulnerability in Presspage Bestbooks. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Bestbooks WordPress plugin through version 2.6.3 contains an SQL injection vulnerability (CWE-89) because it fails to sanitize or escape certain parameters before incorporating them into SQL statements executed through an AJAX action. The affected component is the Bestbooks plugin running on WordPress sites, and the flaw carries a CVSS 3.1 score of 9.8 reflecting network-exploitable impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can supply malicious input via the AJAX endpoint to manipulate database queries. Successful exploitation allows arbitrary SQL execution, which can result in data exfiltration, modification, or deletion and potentially lead to further compromise of the WordPress installation.
Public references point to WPScan entries that document the issue, but no specific patch versions, mitigation steps, or official advisories are detailed in the available references. The EPSS score has reached a peak of 0.7476 with a current value of 0.6802.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15875
Vulnerability details
The Bestbooks WordPress plugin through 2.6.3 does not sanitise and escape some parameters before using them in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.