CVE-2022-0949
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites running the Block Bad Bots plugin. Attackers can execute arbitrary SQL commands, potentially compromising the database. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, site defacement, or remote code execution via database functions.
Likely Case
Data exfiltration, database manipulation, or denial of service through database corruption.
If Mitigated
Limited impact with proper input validation and WAF rules blocking SQL injection patterns.
🎯 Exploit Status
SQL injection via fingerprint parameter in stopbadbots_grava_fingerprint AJAX action requires minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.930
Vendor Advisory: https://wpscan.com/vulnerability/a0fbb79a-e160-49df-9cf2-18ab64ea66cb
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Block Bad Bots plugin. 4. Click Update Now to version 6.930 or higher. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or block access to the vulnerable stopbadbots_grava_fingerprint AJAX action
Add to theme's functions.php: remove_action('wp_ajax_nopriv_stopbadbots_grava_fingerprint', 'stopbadbots_grava_fingerprint');
Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L] (caution: may break other AJAX)
Web Application Firewall rule
allBlock SQL injection patterns targeting the fingerprint parameter
WAF specific - configure rule to block requests containing SQL keywords in fingerprint parameter to /wp-admin/admin-ajax.php
🧯 If You Can't Patch
- Disable or remove the Block Bad Bots plugin entirely
- Implement strict input validation and parameterized queries at application level
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Block Bad Bots > Version. If version is below 6.930, system is vulnerable.Check Version:
wp plugin list --name='Block Bad Bots' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 6.930 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress logs
- Multiple POST requests to /wp-admin/admin-ajax.php with fingerprint parameter containing SQL keywords
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php?action=stopbadbots_grava_fingerprint with SQL injection payloads
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "fingerprint" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE")