CVE-2022-4297

moderate-risk
Published 2023-01-02

The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection

Do I need to act?

~
3.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
51560
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Wp Autocomplete Search

Affected Vendors

Netflixtech

References (4)

http://packetstormsecurity.com/files/173293/WordPress-WP-AutoComplete-Search-1.0...
Exploit https://wpscan.com/vulnerability/e2dcc76c-65ac-4cd6-a5c9-6d813b5ac26d
http://packetstormsecurity.com/files/173293/WordPress-WP-AutoComplete-Search-1.0...
Exploit https://wpscan.com/vulnerability/e2dcc76c-65ac-4cd6-a5c9-6d813b5ac26d
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 5/34 · Minimal