CVE-2022-46860 – This SQL injection vulnerability in the WordPre... (How to Fix)

Q: What is the severity of CVE-2022-46860?

CVE-2022-46860 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in the WordPress Short URL plugin allows attackers to execute arbitrary SQL commands on the database. It affects all versions up to 1.6.4, potentially compromising websites using this plugin.

📋 TL;DR

This SQL injection vulnerability in the WordPress Short URL plugin allows attackers to execute arbitrary SQL commands on the database. It affects all versions up to 1.6.4, potentially compromising websites using this plugin.

💻 Affected Systems

Products:

WordPress Short URL plugin

Versions: n/a through 1.6.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin version.

📦 What is this software?

Short Url by Kaizencoders

View all CVEs affecting Short Url →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, or full website takeover.

🟠

Likely Case

Unauthorized data access, modification of URL redirects, or extraction of sensitive information from the database.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, though some data exposure may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited with automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.5 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/shorten-url/wordpress-short-url-plugin-1-6-4-sql-injection

Restart Required: No

Instructions:

1. Update the Short URL plugin to version 1.6.5 or later via WordPress admin panel. 2. Verify the update completed successfully. 3. Test plugin functionality.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Short URL plugin until patched.

wp plugin deactivate short-url

Web Application Firewall rule

all

Implement WAF rules to block SQL injection patterns targeting the plugin.

🧯 If You Can't Patch

Remove the Short URL plugin entirely and use alternative URL shortening solutions.
Implement strict input validation and sanitization at the application level.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Short URL version. If version is 1.6.4 or earlier, you are vulnerable.

Check Version:

wp plugin get short-url --field=version

Verify Fix Applied:

Verify plugin version is 1.6.5 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts
Suspicious POST requests to plugin endpoints

Network Indicators:

SQL injection patterns in HTTP requests
Unusual database connection spikes

SIEM Query:

source="web_logs" AND (url="*short-url*" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2022-46860

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 6, 2023

Last Updated: November 21, 2024

🔗 References

https://patchstack.com/database/vulnerability/shorten-url/wordpress-short-url-plugin-1-6-4-sql-injection?_s_id=cve Third Party Advisory
https://patchstack.com/database/vulnerability/shorten-url/wordpress-short-url-plugin-1-6-4-sql-injection?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-46860, you might also want to check these: