CVE-2022-0948
CRITICAL EXPLOITED NUCLEIOrder Listener for WooCommerce < 3.2.2 - Unauthenticated SQL Injection via REST Route id Parameter
Title source: llmExploitation Summary
CVE-2022-0948 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection
Nuclei Templates (1)
WordPress Order Listener for WooCommerce <3.2.2 - SQL Injection
CRITICALVERIFIEDby theamanrawat
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
Release Notes, Vendor Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2707223
Scores
CVSS v3
9.8
EPSS
0.0979
EPSS Percentile
94.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2026-03-09
CWE
CWE-89
Status
published
Products (1)
pluginbazaar/order_listener_for_woocommerce
< 3.2.2
Published
May 09, 2022
Tracked Since
Feb 18, 2026