CVE-2022-4297

CRITICAL

WP AutoComplete Search < 1.0.4 - Unauthenticated SQL Injection via AJAX Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-4297. PoCs published by matitanium.

AI-analyzed exploit summary This is a writeup describing an unauthenticated SQL injection vulnerability in WP AutoComplete Search WordPress plugin through 1.0.4. The exploit leverages the 'q' parameter in an AJAX request to perform SQL injection.

Description

The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection

Exploits (1)

exploitdb WRITEUP
by matitanium · textwebappsphp
https://www.exploit-db.com/exploits/51560

This is a writeup describing an unauthenticated SQL injection vulnerability in WP AutoComplete Search WordPress plugin through 1.0.4. The exploit leverages the 'q' parameter in an AJAX request to perform SQL injection.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: WP AutoComplete Search WordPress plugin <= 1.0.4
No auth needed
Prerequisites: WP AutoComplete Search WordPress plugin <= 1.0.4 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/e2dcc76c-65ac-4cd6-a5c9-6d813b5ac26d

Scores

CVSS v3 9.8
EPSS 0.0360
EPSS Percentile 87.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

Status published
Products (1)
netflixtech/wp_autocomplete_search < 1.0.4
Published Jan 02, 2023
Tracked Since Feb 18, 2026