CVE-2022-0836

CRITICAL

SEMA API < 4.02 - Unauthenticated SQL Injection via AJAX Action

Title source: llm
STIX 2.1

Description

The SEMA API WordPress plugin before 4.02 does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated users

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/2a226ae8-7d9c-4f47-90af-8a399a08f03f

Scores

CVSS v3 9.8
EPSS 0.0178
EPSS Percentile 75.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
semadatacoop/sema_api < 4.02
Published May 09, 2022
Tracked Since Feb 18, 2026