CVE-2022-0783
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites using the Multiple Shipping Address Woocommerce plugin. Attackers can steal sensitive data, modify database content, or potentially gain administrative access. All WordPress sites with the vulnerable plugin version are affected.
💻 Affected Systems
- Multiple Shipping Address Woocommerce WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, site defacement, backdoor installation, and potential server takeover through privilege escalation.
Likely Case
Data exfiltration of user information, order details, and potentially administrative credentials leading to site compromise.
If Mitigated
Limited impact with proper network segmentation, database user privilege restrictions, and web application firewall rules blocking SQL injection patterns.
🎯 Exploit Status
SQL injection via AJAX endpoints requires no authentication. Exploitation is straightforward with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0 and later
Vendor Advisory: https://wpscan.com/vulnerability/4d594424-8048-482d-b61c-45be1e97a8ba
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Multiple Shipping Address Woocommerce'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 2.0+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allBlock access to the vulnerable AJAX actions via .htaccess or web server configuration
# Add to .htaccess for Apache:
RewriteCond %{QUERY_STRING} action=msawoo_ [NC]
RewriteRule .* - [F,L]
Web Application Firewall rule
allImplement WAF rules to block SQL injection patterns targeting the vulnerable plugin endpoints
# Example ModSecurity rule:
SecRule ARGS_GET:action "@rx msawoo_" \
"id:1001,phase:2,deny,status:403,msg:'Blocking Multiple Shipping Address plugin SQLi attempt'"
🧯 If You Can't Patch
- Immediately disable or uninstall the Multiple Shipping Address Woocommerce plugin
- Implement strict network access controls to limit exposure of the WordPress site
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Multiple Shipping Address Woocommerce → Version number. If version is below 2.0, the site is vulnerable.Check Version:
wp plugin list --name='Multiple Shipping Address Woocommerce' --field=versionVerify Fix Applied:
Confirm plugin version is 2.0 or higher in WordPress admin panel and test that the AJAX endpoints no longer accept malicious SQL payloads.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'msawoo_' and SQL injection patterns
- Unusual database queries from web application user
- Multiple failed login attempts following SQL injection attempts
Network Indicators:
- Unusual outbound database connections from web server
- Traffic patterns showing SQL error messages in responses
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=msawoo_*" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*UPDATE*" OR query="*DELETE*")