CVE-2022-0412
Last modified
CVE-2022-0412 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks. EPSS estimates a 74.58% chance of exploitation in the next 30 days.
Description
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Templateinvaders | Ti Woocommerce Wishlist | < 1.40.1 |
References
- https://plugins.trac.wordpress.org/changeset/2668899Release Notes, Third Party Advisory
- https://wpscan.com/vulnerability/e984ba11-abeb-4ed4-9dad-0bfd539a9682Exploit, Third Party Advisory
- https://plugins.trac.wordpress.org/changeset/2668899Release Notes, Third Party Advisory
- https://wpscan.com/vulnerability/e984ba11-abeb-4ed4-9dad-0bfd539a9682Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-0412?
How severe is CVE-2022-0412?
How do I fix CVE-2022-0412?
Are you affected by CVE-2022-0412?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST