PT-2022-13549 · WordPress · Block Bad Bots/Stop Bad Bots Crawlers/Spiders/Anti Spam Protection

Cydave

·

Published

2022-04-11

·

Updated

2022-04-15

·

CVE-2022-0949

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin versions prior to 6.930
Description The issue arises from the improper sanitization and escaping of the fingerprint parameter before its use in a SQL statement via the "stopbadbots grava fingerprint" AJAX action. This action is available to unauthenticated users, leading to a SQL injection.
Recommendations For versions prior to 6.930, update to version 6.930 or later to resolve the issue. As a temporary workaround, consider restricting access to the "stopbadbots grava fingerprint" AJAX action to minimize the risk of exploitation. Avoid using the fingerprint parameter in the affected AJAX endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2022-0949

Affected Products

Block Bad Bots/Stop Bad Bots Crawlers/Spiders/Anti Spam Protection