Login Sign Up

CVE-2022-1556

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands on WordPress sites using the StaffList plugin before version 3.1.5. The SQL injection occurs when searching for staff members in the admin dashboard, potentially allowing attackers to read, modify, or delete database contents. Any WordPress site with the vulnerable plugin version is affected.

💻 Affected Systems

Products:
  • WordPress StaffList Plugin
Versions: All versions before 3.1.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with StaffList plugin enabled. Admin dashboard access is required for exploitation.

📦 What is this software?

Stafflist by Era404

View all CVEs affecting Stafflist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, site takeover, or remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, credential theft from database, and potential site defacement.

🟢

If Mitigated

Limited impact with proper input validation, database user restrictions, and web application firewall rules.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin dashboard access. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.5

Vendor Advisory: https://wpscan.com/vulnerability/04890549-6bd1-44dd-8bce-7125c01be5d4

Restart Required: No

Instructions:

1. Log into WordPress admin dashboard. 2. Navigate to Plugins > Installed Plugins. 3. Find StaffList plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.1.5+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable StaffList Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate stafflist

Web Application Firewall Rule

all

Block SQL injection patterns targeting the vulnerable endpoint.

ModSecurity rule: SecRule ARGS "(?i:(union|select|insert|update|delete|drop|alter).*)" "id:1001,phase:2,deny"

🧯 If You Can't Patch

  • Restrict admin dashboard access to trusted IP addresses only
  • Implement database user with minimal privileges (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin dashboard > Plugins > StaffList version. If version is below 3.1.5, system is vulnerable.

Check Version:

wp plugin get stafflist --field=version

Verify Fix Applied:

Confirm StaffList plugin version is 3.1.5 or higher in WordPress admin dashboard.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts to admin dashboard
  • Unexpected database schema changes

Network Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with SQL keywords in parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_server" AND (url="*admin-ajax.php*" AND (param="*union*" OR param="*select*" OR param="*insert*"))

📊 Metadata

CVE ID: CVE-2022-1556
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 30, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1556, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)