CVE-2022-0657

State: PUBLISHED · Published: 2022-04-25 · Updated: 2024-08-02 · Assigner: WPScan

Description

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.

CWE

CWE-89 — CWE-89 SQL Injection

Affected

Unknown / 5 Stars Rating Funnel WordPress Plugin | RRatingg — v=1.2.54 <1.2.54 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/e7fe8218-4ef5-4ef9-9850-8567c207e8e6 x_refsource_MISC

Source

cvelistV5-main/cves/2022/0xxx/CVE-2022-0657.json