CVE-2022-3254
Published: 31 October 2022
Summary
CVE-2022-3254 is a critical-severity SQL Injection (CWE-89) vulnerability in Strategy11 Awp Classifieds. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WordPress Classifieds Plugin for WordPress before version 4.3 contains a SQL injection vulnerability tracked as CVE-2022-3254. The flaw stems from insufficient sanitization and escaping of user-supplied parameters passed into SQL statements through an AJAX action. The issue is present only when a specific premium module is active and is reachable without authentication.
Unauthenticated attackers can supply crafted input to the exposed AJAX endpoint and execute arbitrary SQL queries against the database. Successful exploitation can yield full read/write access to database contents, potential authentication bypass, or further site compromise, consistent with the CVSS 9.8 rating and CWE-89 classification.
Public references from WPScan detail the affected plugin versions and confirm the unauthenticated attack surface. Site operators are advised to update the Classifieds Plugin to version 4.3 or later to eliminate the vulnerable code paths.
The CVE carries a high EPSS score (current 0.8658, peak 0.8733), indicating substantial exploitation likelihood since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42658
Vulnerability details
The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading…
more
to a SQL injection
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.