Cyber Resilience

CVE-2022-2754

CriticalPublic PoC

Published: 19 September 2022

Published
19 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0439 89.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2754 is a critical-severity SQL Injection (CWE-89) vulnerability in Ketchup Restaurant Reservations Project Ketchup Restaurant Reservations. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Ketchup Restaurant Reservations WordPress plugin through version 1.0.0 contains a SQL injection vulnerability tracked as CVE-2022-2754. The plugin does not validate or escape certain reservation parameters before inserting them into SQL statements, enabling attacks under CWE-89. The issue carries a CVSS v3.1 score of 9.8 reflecting network-accessible exploitation without authentication or user interaction.

Unauthenticated remote attackers can supply crafted parameters to execute arbitrary SQL queries against the database. Successful exploitation can result in extraction or modification of data, and in many WordPress deployments may lead to full site takeover through privilege escalation or code execution.

The EPSS probability rose from low values to a peak of 0.2129 on 2025-12-11 before receding to the current score of 0.0439, indicating that exploitation interest emerged after public disclosure. WPScan published technical details of the flaw at the referenced advisory URLs.

EU & UK References

Vulnerability details

The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ketchup restaurant reservations project
ketchup restaurant reservations
≤ 1.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References