Login Sign Up

CVE-2022-0254

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to perform SQL injection attacks on WordPress sites using the Zero Spam plugin before version 5.2.11. Attackers can execute arbitrary SQL commands through unsanitized order and orderby parameters in the admin dashboard. This affects WordPress administrators with the vulnerable plugin installed.

💻 Affected Systems

Products:
  • WordPress Zero Spam plugin
Versions: All versions before 5.2.11
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin dashboard access; affects WordPress installations with the vulnerable plugin.

📦 What is this software?

Zero Spam by Highfivery

View all CVEs affecting Zero Spam →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, privilege escalation, or site defacement through SQL injection.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access; SQL injection is well-documented and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.11

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2680906

Restart Required: No

Instructions:

1. Log into WordPress admin. 2. Go to Plugins > Installed Plugins. 3. Find Zero Spam plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.2.11+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Zero Spam Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate zero-spam

Restrict Admin Access

all

Limit admin dashboard access to trusted IP addresses only.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block SQL injection patterns
  • Remove admin privileges from untrusted users and enforce strong authentication

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Zero Spam version below 5.2.11.

Check Version:

wp plugin get zero-spam --field=version

Verify Fix Applied:

Confirm Zero Spam plugin version is 5.2.11 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts to admin dashboard
  • Suspicious order/orderby parameters in web server logs

Network Indicators:

  • SQL error messages in HTTP responses
  • Unusual database connection patterns from web server

SIEM Query:

source="web_server" AND ("order=" OR "orderby=") AND ("SELECT", "UNION", "OR 1=1")

📊 Metadata

CVE ID: CVE-2022-0254
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0254, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)