CVE-2022-0867
📋 TL;DR
CVE-2022-0867 is a critical SQL injection vulnerability in the Pricing Table WordPress plugin that allows unauthenticated attackers to execute arbitrary SQL commands. This can lead to complete database compromise, including data theft, modification, or deletion. Any WordPress site running the vulnerable plugin version is affected.
💻 Affected Systems
- WordPress Pricing Table plugin
📦 What is this software?
Pricing Table by Reputeinfosystems
⚠️ Risk & Real-World Impact
Worst Case
Complete database takeover allowing data exfiltration, privilege escalation, remote code execution via database functions, and site compromise.
Likely Case
Database information disclosure, data manipulation, and potential administrative access to WordPress.
If Mitigated
Limited impact with proper network segmentation, WAF rules blocking SQL injection patterns, and database user privilege restrictions.
🎯 Exploit Status
Simple SQL injection via POST parameters to AJAX endpoints. Multiple public exploits available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.1
Vendor Advisory: https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Pricing Table' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.6.1+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allRemove or block access to the vulnerable AJAX action handlers via .htaccess or web server configuration.
# Add to .htaccess or web server config to block wp-admin/admin-ajax.php requests with vulnerable parameters
RewriteCond %{QUERY_STRING} action=wpt_ajax [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
Web Application Firewall rule
allImplement WAF rules to block SQL injection patterns targeting the vulnerable endpoints.
# Example ModSecurity rule to block exploitation
SecRule ARGS_POST "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt on Pricing Table plugin'"
🧯 If You Can't Patch
- Immediately disable or remove the Pricing Table plugin from all WordPress installations.
- Implement network-level blocking of requests to wp-admin/admin-ajax.php containing suspicious SQL patterns.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Pricing Table plugin version. If version is below 3.6.1, system is vulnerable.Check Version:
wp plugin list --name='pricing-table' --field=version (if WP-CLI installed) or check WordPress admin interfaceVerify Fix Applied:
Confirm plugin version is 3.6.1 or higher in WordPress admin panel. Test AJAX endpoints with SQL injection payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=wpt_ajax' parameter containing SQL keywords (UNION, SELECT, INSERT, etc.)
- Database error logs showing SQL syntax errors from WordPress queries
- Unusual database queries originating from web server process
Network Indicators:
- HTTP POST requests to WordPress AJAX endpoints with SQL injection payloads
- Unusual outbound database connections from web server
SIEM Query:
source="web_access.log" AND uri_path="/wp-admin/admin-ajax.php" AND (http_method="POST" AND query_string="*action=wpt_ajax*") AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*INSERT*")