CVE-2022-0781
📋 TL;DR
CVE-2022-0781 is an unauthenticated SQL injection vulnerability in the Nirweb Support WordPress plugin. Attackers can execute arbitrary SQL commands through a vulnerable AJAX endpoint, potentially compromising the entire WordPress database. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Nirweb Support Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, remote code execution via file writes, and full site takeover.
Likely Case
Database information disclosure, user credential theft, and potential administrative access to the WordPress site.
If Mitigated
Limited impact if proper WAF rules block SQL injection patterns and database user has minimal privileges.
🎯 Exploit Status
Simple SQL injection via AJAX endpoint with no authentication required. Exploit tools and scripts are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.2
Vendor Advisory: https://wpscan.com/vulnerability/1a8f9c7b-a422-4f45-a516-c3c14eb05161
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Nirweb Support' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 2.8.2+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the vulnerable AJAX action via .htaccess or web server configuration
# Add to .htaccess
RewriteCond %{QUERY_STRING} action=nirweb_support [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
Web Application Firewall rule
allBlock SQL injection patterns targeting the Nirweb Support plugin endpoints
# ModSecurity rule example
SecRule REQUEST_URI "@contains wp-admin/admin-ajax.php" \
"chain,id:1001,phase:2,deny,status:403,msg:'Nirweb Support SQLi attempt'"
SecRule ARGS:action "@streq nirweb_support" \
"chain"
SecRule ARGS "@detectSQLi"
🧯 If You Can't Patch
- Disable or remove the Nirweb Support plugin entirely
- Implement strict network segmentation and limit database user privileges to minimum required
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Nirweb Support → Version number. If version is below 2.8.2, you are vulnerable.Check Version:
# From WordPress root directory
grep -r "Version:" wp-content/plugins/nirweb-support/nirweb-support.php | head -1Verify Fix Applied:
After updating, verify plugin version shows 2.8.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with 'action=nirweb_support' parameter
- Database error logs showing SQL syntax errors
- Unusual database queries from WordPress application user
Network Indicators:
- POST requests to admin-ajax.php with SQL injection payloads in parameters
- Unusual outbound database connections from web server
SIEM Query:
source="web_access_logs" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=nirweb_support*" AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*INSERT*" OR query_string="*UPDATE*")