CVE-2022-4049
Published: 02 January 2023
Summary
CVE-2022-4049 is a critical-severity an unspecified weakness vulnerability in Wp User Project Wp User. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WP User WordPress plugin through version 7.0 is affected by a SQL injection vulnerability. The plugin fails to properly sanitize and escape a parameter before incorporating it into a SQL statement, allowing direct manipulation of database queries.
Unauthenticated attackers can exploit the flaw over the network without any credentials or user interaction. Successful exploitation can result in full compromise of confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.
The EPSS score rose from a low baseline after disclosure to a peak of 0.8554 on 2025-12-18 before receding to the current value of 0.6656, indicating that exploitation interest increased post-publication and that the issue merits renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51426
Vulnerability details
The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.