Cyber Resilience

CVE-2022-4049

CriticalPublic PoC

Published: 02 January 2023

Published
02 January 2023
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6656 98.6th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4049 is a critical-severity an unspecified weakness vulnerability in Wp User Project Wp User. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The WP User WordPress plugin through version 7.0 is affected by a SQL injection vulnerability. The plugin fails to properly sanitize and escape a parameter before incorporating it into a SQL statement, allowing direct manipulation of database queries.

Unauthenticated attackers can exploit the flaw over the network without any credentials or user interaction. Successful exploitation can result in full compromise of confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.

The EPSS score rose from a low baseline after disclosure to a peak of 0.8554 on 2025-12-18 before receding to the current value of 0.6656, indicating that exploitation interest increased post-publication and that the issue merits renewed attention.

EU & UK References

Vulnerability details

The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wp user project
wp user
≤ 7.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References