Back to KEVs

CVE-2022-2958

BadgeOS < 3.7.1.3 - Subscriber+ SQLi

Basic Information

CVE State
PUBLISHED
Reserved Date
August 23, 2022
Published Date
September 19, 2022
Last Updated
August 03, 2024
Vendor
Unknown
Product
BadgeOS
Description
The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections
Tags
wordpress

CVSS Scores

CVSS v3.1

8.8 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score
0.24% (Percentile: 47.55%) as of 2025-05-23

Exploit Status

Exploited in the Wild
Yes (added 2025-05-22 00:00:00 UTC) Source

References

https://wpscan.com/vulnerability/8743534f-8ebd-496a-99bc-5052a8bac86a

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-05-23 18:00:30 UTC