CVE-2022-1950
Published: 01 August 2022
Summary
CVE-2022-1950 is a critical-severity SQL Injection (CWE-89) vulnerability in Kainelabs Youzify. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Youzify WordPress plugin before version 1.2.0 contains an unauthenticated SQL injection vulnerability tracked as CVE-2022-1950. The flaw stems from missing sanitization and escaping of a parameter passed to a SQL statement inside an AJAX action that is reachable without authentication, corresponding to CWE-89.
Unauthenticated remote attackers can supply crafted input to the affected AJAX endpoint and execute arbitrary SQL queries against the database. Successful exploitation can result in full read, write, or deletion of database contents, yielding complete compromise of confidentiality, integrity, and availability as reflected in the CVSS 3.1 base score of 9.8.
The referenced WPScan advisory identifies the issue in versions prior to 1.2.0 and indicates that updating the plugin eliminates the vulnerable code path. The associated EPSS score has remained at 0.5965 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-25218
Vulnerability details
The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.