CVE-2022-0657
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites using the 5 Stars Rating Funnel plugin. Attackers can potentially read, modify, or delete database content, including sensitive user data. All WordPress sites with vulnerable plugin versions are affected.
💻 Affected Systems
- 5 Stars Rating Funnel WordPress Plugin | RRatingg
📦 What is this software?
5 Stars Rating Funnel by 5 Stars Rating Funnel Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, site defacement, or full system takeover via SQL injection to RCE chaining.
Likely Case
Data exfiltration of user information, plugin settings, or WordPress configuration details that could enable further attacks.
If Mitigated
Limited impact with proper WAF rules, database permissions, and network segmentation preventing data exfiltration.
🎯 Exploit Status
SQL injection via lead_id parameter in rrtngg_delete_leads AJAX action. WPScan provides technical details and proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.54
Vendor Advisory: https://wpscan.com/vulnerability/e7fe8218-4ef5-4ef9-9850-8567c207e8e6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find '5 Stars Rating Funnel' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.2.54+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the rrtngg_delete_leads AJAX action via .htaccess or web server configuration
# Add to .htaccess:
RewriteCond %{QUERY_STRING} action=rrtngg_delete_leads [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
Web Application Firewall rule
allBlock SQL injection patterns targeting the vulnerable endpoint
WAF rule to block: POST /wp-admin/admin-ajax.php?action=rrtngg_delete_leads with SQL injection patterns in parameters
🧯 If You Can't Patch
- Disable or remove the 5 Stars Rating Funnel plugin entirely
- Implement network segmentation to isolate the WordPress instance and restrict database access
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is below 1.2.54, system is vulnerable.Check Version:
wp plugin list --name="5 Stars Rating Funnel" --field=versionVerify Fix Applied:
Confirm plugin version is 1.2.54 or higher in WordPress admin. Test the rrtngg_delete_leads endpoint with SQL injection payloads to verify blocking.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=rrtngg_delete_leads containing SQL keywords
- Unusual database queries from WordPress application user
- Multiple failed SQL syntax errors in application logs
Network Indicators:
- HTTP POST requests with SQL injection patterns in parameters to WordPress AJAX endpoints
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=rrtngg_delete_leads*" AND (request_body="*UNION*" OR request_body="*SELECT*" OR request_body="*INSERT*" OR request_body="*DELETE*")