Cyber Resilience

CVE-2022-4117

CriticalPublic PoC

Published: 26 December 2022

Published
26 December 2022
Modified
14 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6081 98.3th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4117 is a critical-severity an unspecified weakness vulnerability in Iws-Geo-Form-Fields Project Iws-Geo-Form-Fields. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The IWS WordPress plugin through version 1.0 contains an unauthenticated SQL injection vulnerability. The flaw stems from improper escaping of a parameter used in a SQL statement within an AJAX action that is reachable without authentication, allowing direct manipulation of database queries.

An unauthenticated attacker can invoke the affected AJAX endpoint over the network to inject arbitrary SQL, resulting in full compromise of confidentiality, integrity, and availability on the target site as reflected by the CVSS 9.8 rating.

The vulnerability is documented in WPScan advisories at the referenced URLs, which identify the affected plugin versions and recommend updating or removing the plugin to eliminate the exposed AJAX action.

EPSS for this CVE rose from a low baseline after disclosure to a peak of 0.8354 in December 2025 before receding to the current value of 0.6081, indicating later-emerging exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

iws-geo-form-fields project
iws-geo-form-fields
≤ 1.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References