CVE-2022-0747

Name of the Vulnerable Software and Affected Versions Infographic Maker WordPress plugin versions prior to 4.3.8

Description The issue concerns an unauthenticated SQL Injection. It occurs because the post id parameter is not properly validated and escaped before being used in a SQL statement via the qcld upvote action AJAX action. This action is accessible to both unauthenticated and authenticated users.

Recommendations For versions prior to 4.3.8, update to version 4.3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the qcld upvote action AJAX action to minimize the risk of exploitation. Avoid using the post id parameter in the affected AJAX endpoint until the issue is resolved.