Cyber Resilience

CVE-2022-3254

CriticalPublic PoC

Published: 31 October 2022

Published
31 October 2022
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8658 99.4th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3254 is a critical-severity SQL Injection (CWE-89) vulnerability in Strategy11 Awp Classifieds. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The WordPress Classifieds Plugin for WordPress before version 4.3 contains a SQL injection vulnerability tracked as CVE-2022-3254. The flaw stems from insufficient sanitization and escaping of user-supplied parameters passed into SQL statements through an AJAX action. The issue is present only when a specific premium module is active and is reachable without authentication.

Unauthenticated attackers can supply crafted input to the exposed AJAX endpoint and execute arbitrary SQL queries against the database. Successful exploitation can yield full read/write access to database contents, potential authentication bypass, or further site compromise, consistent with the CVSS 9.8 rating and CWE-89 classification.

Public references from WPScan detail the affected plugin versions and confirm the unauthenticated attack surface. Site operators are advised to update the Classifieds Plugin to version 4.3 or later to eliminate the vulnerable code paths.

The CVE carries a high EPSS score (current 0.8658, peak 0.8733), indicating substantial exploitation likelihood since disclosure.

EU & UK References

Vulnerability details

The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading…

more

to a SQL injection

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

strategy11
awp classifieds
≤ 4.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References