CVE-2022-2958
HIGH EXPLOITEDBadgeOS < 3.7.1.3 - Authenticated SQL Injection via AJAX Parameters
Title source: llmExploitation Summary
CVE-2022-2958 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections
References (1)
Core 1
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/8743534f-8ebd-496a-99bc-5052a8bac86a
Scores
CVSS v3
8.8
EPSS
0.0099
EPSS Percentile
58.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2023-11-17
CWE
CWE-89
Status
published
Products (1)
badgeos/badgos
< 3.7.1.3
Published
Sep 19, 2022
Tracked Since
Feb 18, 2026