CVE-2022-30402 – Merchandise Online Store v1.0 contains a SQL in... (How to Fix)

Q: What is the severity of CVE-2022-30402?

CVE-2022-30402 has a CVSS score of 7.2 (HIGH). Merchandise Online Store v1.0 contains a SQL injection vulnerability in the admin panel's subcategory management page. Attackers can exploit this to execute arbitrary SQL commands, potentially accessing or modifying database content. This affects all deployments using the vulnerable version.

📋 TL;DR

Merchandise Online Store v1.0 contains a SQL injection vulnerability in the admin panel's subcategory management page. Attackers can exploit this to execute arbitrary SQL commands, potentially accessing or modifying database content. This affects all deployments using the vulnerable version.

💻 Affected Systems

Products:

Merchandise Online Store

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin panel access, but admin credentials may be weak or default.

📦 What is this software?

Merchandise Online Store by Merchandise Online Store Project

View all CVEs affecting Merchandise Online Store →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized access to sensitive data (customer information, admin credentials, order data), database manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin authentication, but SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries in /vloggers_merch/admin/?page=maintenance/manage_sub_category&id= endpoint.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to ensure 'id' parameter contains only numeric values

Modify PHP code to validate $_GET['id'] is numeric before processing

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Configure WAF to block SQL injection patterns in URL parameters

🧯 If You Can't Patch

Restrict admin panel access to trusted IP addresses only
Implement strong authentication for admin accounts and enable MFA

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads like: /vloggers_merch/admin/?page=maintenance/manage_sub_category&id=1' OR '1'='1

Check Version:

Check application version in admin panel or source code

Verify Fix Applied:

Test with same payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

SQL error messages in web server logs
Multiple failed login attempts to admin panel
Unusual database queries from web application

Network Indicators:

HTTP requests with SQL keywords in URL parameters
Unusual traffic patterns to admin endpoints

SIEM Query:

web.url:*manage_sub_category* AND (web.param.id:*OR* OR web.param.id:*UNION* OR web.param.id:*SELECT*)

📊 Metadata

CVE ID: CVE-2022-30402

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 13, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/merchandise-online-store/SQLi-12.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/merchandise-online-store/SQLi-12.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30402, you might also want to check these: