CVE-2022-4117

IWS - Geo Form Fields <= 1.0 - Unauthenticated SQLi

Basic Information

CVE State: PUBLISHED
Reserved Date: November 22, 2022
Published Date: December 26, 2022
Last Updated: April 14, 2025
Vendor: Unknown
Product: IWS
Description: The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 78.30% (Percentile: 98.96%) as of 2025-05-17

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2025-05-11 00:00:00 UTC) Source

References

https://wpscan.com/vulnerability/1fac3eb4-13c0-442d-b27c-7b7736208193

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-05-11 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-4117.yaml	2025-04-26 00:00:00 UTC