BadgeOS < 3.7.1.3 - Subscriber+ SQLi
CVE-2022-2958

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Badgeos
Vendor: CVE Published:; 19 September 2022

Summary

The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections

Affected Version(s)

BadgeOS 3.7.1.3

References

https://wpscan.com/vulnerability/8743534f-8ebd-496a-99bc-...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 19, 2022
Vulnerability Reserved
Aug 23, 2022

Credit

cydave