Login Sign Up

CVE-2022-47432

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the WordPress Shortcode IMDB plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites using the plugin versions up to 6.0.8. Successful exploitation could lead to data theft, modification, or complete database compromise.

💻 Affected Systems

Products:
  • WordPress Shortcode IMDB plugin
Versions: n/a through 6.0.8
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Shortcode Imdb by Kemalyazici

View all CVEs affecting Shortcode Imdb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, privilege escalation, and potential full system takeover if database permissions allow file system access.

🟠

Likely Case

Data exfiltration of sensitive information (user credentials, personal data), database manipulation, and potential WordPress admin access.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities in WordPress plugins are frequently weaponized due to the large attack surface and automated exploitation tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.9 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/shortcode-imdb/wordpress-shortcode-imdb-plugin-6-0-8-sql-injection

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Shortcode IMDB' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 6.0.9+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Shortcode IMDB plugin until patched

wp plugin deactivate shortcode-imdb

Web Application Firewall rule

all

Implement WAF rules to block SQL injection patterns targeting the plugin

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Shortcode IMDB version

Check Version:

wp plugin get shortcode-imdb --field=version

Verify Fix Applied:

Verify plugin version is 6.0.9 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts from single IP
  • Unexpected database schema changes

Network Indicators:

  • HTTP requests with SQL injection payloads to WordPress endpoints
  • Unusual outbound database connections

SIEM Query:

source="web_server" AND (uri="*wp-content/plugins/shortcode-imdb/*" AND (query="*SELECT*" OR query="*UNION*" OR query="*INSERT*" OR query="*DELETE*"))

📊 Metadata

CVE ID: CVE-2022-47432
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47432, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)