KEVIntel
PRO Back to KEVs
9.8
CVSS
Critical

CVE-2022-0769

PUBLISHED

Users Ultra <= 3.1.0 - Unauthenticated SQL Injection

Not yet in CISA KEV

Exploited in the wild PoC available Remote Low complexity No user interaction
Vendor
Unknown
Product
Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Published
Apr 25, 2022
EPSS

Automate This Intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the rating_vote AJAX action (available to both unauthenticated and authenticated users), leading to an SQL Injection.

nuclei_scanner

Weaknesses (CWE)

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS Scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5 High

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation Status

Exploited in the wild

Recorded 2025-06-05 00:00:00 UTC · The Shadowserver (via CIRCL)

Proof of concept available

Recorded 2026-06-12 14:20:27 UTC · Nuclei Templates

References

Known Exploited Vulnerability Sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) First 2025-06-05 00:00 UTC

Scanner Integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-0769.yaml Apr 25, 2025

Potential Proof of Concepts

These PoCs are unverified and could contain malware. Use at your own risk.

CVE-2022-0769

nuclei · Created Unknown

Timeline

  • Proof of Concept Exploit Available

  • Added to KEVIntel

  • Detected by Nuclei

  • CVE Published to Public

  • CVE ID Reserved