Cyber Resilience

CVE-2022-46887

CriticalPublic PoC

Published: 19 January 2023

Published
19 January 2023
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0278 86.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-46887 is a critical-severity SQL Injection (CWE-89) vulnerability in Nexusphp Nexusphp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

NexusPHP versions prior to 1.7.33 contain multiple SQL injection flaws that permit remote attackers to execute arbitrary SQL commands. The issues reside in the conuser[] parameter of takeconfirm.php, the delcheater parameter of cheaterbox.php, and the usernw parameter of nowarn.php, and are tracked under CWE-89 with a CVSS 3.1 score of 9.8.

Unauthenticated attackers reachable over the network can supply crafted input to these parameters and achieve full read, write, and delete access to the underlying database, resulting in potential compromise of user data, administrative functions, and application integrity.

The official fix is included in the NexusPHP v1.7.33 release, while a SureCloud security review independently identified the same authenticated and unauthenticated injection vectors. The associated EPSS score rose from a low baseline to a peak of 0.2594 before receding to its current value of 0.0278, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Multiple SQL injection vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to execute arbitrary SQL commands via the conuser[] parameter in takeconfirm.php; the delcheater parameter in cheaterbox.php; or the usernw parameter in nowarn.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nexusphp
nexusphp
≤ 1.7.33

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References