CVE-2022-2754
Published: 19 September 2022
Summary
CVE-2022-2754 is a critical-severity SQL Injection (CWE-89) vulnerability in Ketchup Restaurant Reservations Project Ketchup Restaurant Reservations. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Ketchup Restaurant Reservations WordPress plugin through version 1.0.0 contains a SQL injection vulnerability tracked as CVE-2022-2754. The plugin does not validate or escape certain reservation parameters before inserting them into SQL statements, enabling attacks under CWE-89. The issue carries a CVSS v3.1 score of 9.8 reflecting network-accessible exploitation without authentication or user interaction.
Unauthenticated remote attackers can supply crafted parameters to execute arbitrary SQL queries against the database. Successful exploitation can result in extraction or modification of data, and in many WordPress deployments may lead to full site takeover through privilege escalation or code execution.
The EPSS probability rose from low values to a peak of 0.2129 on 2025-12-11 before receding to the current score of 0.0439, indicating that exploitation interest emerged after public disclosure. WPScan published technical details of the flaw at the referenced advisory URLs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34996
Vulnerability details
The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.