15 SQL Injections FEB 2022 | -12% decrease vs JAN 2022

SQL Injections FEB 2022

Managed WP/Woo Security Report

Be informed about the latest SQL Injections FEB 2022, identified and reported publicly. As these SQL Injections FEB 2022 vulnerabilities have a severe negative impact on any WordPress Security and hosting server security, consider our security consulting.

An estimated 594.000+ active WordPress installations are susceptible to this attack type, considering only the publicly available numbers. It is a -21% decrease compared to last month. The estimated number can increase by 20-25% with premium versions as they are private purchases.

Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.

• WordPress 5.8.3 Security Release – SQL Injection via WP_Query
  • This vulnerability is not exploitable directly via WordPress core, but some plugins and themes may use WP_Query in a way that allows SQL injection.

---

• WordPress 5.8.3 Security Release – Blind SQL Injection via WP_Meta_Query
  • Due to lack of proper sanitization in WP_Meta_Query, there’s potential for blind SQL Injection.

---

• WP User Frontend – Membership, Profile, Registration & Post Submission Plugin for WordPress – SQL Injection to Reflected Cross-Site Scripting (XSS)
  • WP User Frontend is one of the best frontend builder plugin for WordPress. It includes frontend dashboard, frontend editor & publishing, and frontend uploader for WordPress user profile, post submissions, and memberships. Active installations: 30,000+

---

• Axact Author List Widget – Unauthenticated SQL Injection
  • The Axact Author List Widget wordpress plugin, by Yumna Tatheer, displays a list of authors, and editors on the blog as an ordered list, unordered list, or a dropdown list. You can use the ordered list to display a list of ‘top authors’ on the blog. You can set a custom order of authors by simple dran n drop, set urls where this widget should not show. Active installations: 200+

---

• Cookie Notification Plugin for WordPress – WP Cookie User Info – SQL Injection
  • WP Cookie User Info is a FREE WordPress Plugin which allows you to apply cookie information on your website on different positions. Its fun because – you can create, customize and build the cookie info for your site on your own, choose on what to display as a message, where to display it and reappear after how long. Active installations: 100+

---

• Perfect Survey – Unauthorised AJAX Call to Stored Cross-Site Scripting (XSS) / Survey Settings Update
• Perfect Survey – Unauthenticated SQL Injection
• Perfect Survey – Reflected Cross-Site Scripting (XSS)
• Perfect Survey – Unauthenticated Stored Cross-Site Scripting (XSS)
  • This plugin has been closed as of October 5, 2021 and is not available for download. Reason: Security Issue.

---

• Mediamatic – Media Library Folders – SQL Injection
  • “Mediamatic – Media Library Folders” has been translated into 2 locales. Thank you to the translators for their contributions. Active installations: 3,000+

---

• Paid Memberships Pro – WordPress Membership Plugin – Unauthenticated Blind SQL Injection
  • Paid Memberships Pro gives you all the tools you need to start, manage, and grow your membership site. The plugin is designed for premium content sites, online course or LMS and training-based memberships, clubs and associations, members-only product discount sites, subscription box products, paid newsletters, and more. Active installations: 100,000+

---

• WP Visitor Statistics (Real Time Traffic) – SQL Injection
  • A comprehensive plugin for your WordPress visitor statistics, Track statistics for your WordPress site without depending on external services. Enable you to display how many users are online on your WordPress blog with detailed statistics, easy to install and working fine. Active installations: 20,000+

---

• Wicked Folders – SQL Injection
  • Wicked Folders is the ultimate tool for managing large numbers of pages and custom post types. The plugin simplifies content management by allowing you to organize your content into folders. Wicked Folders does not alter your content’s permalinks or hierarchy giving you the freedom to organize your pages, posts, and custom post types any way you want independently of your site’s structure. Active installations: 10,000+

---

• Rearrange Woocommerce Products – SQL Injection
  • Rearrange Woocommerce Products is a plugin that allows you to rearrange/reorder the default sort order of the products on Woocommerce Shop Page. It also allows to rearrange products based on specific category. Active installations: 10,000+

---

• Ad Invalid Click Protector (AICP) – Authenticated SQL Injection
  • Ad Invalid Click Protector a.k.a. AICP plugin will help you to save your Google Ad account from unusual invalid click activities and click bombings. As per the Google Ad terms, Google doesn’t take any responsibility towards these invalid click activities or click bombings and always point the finger towards the Ad publisher, giving him/her all the blames. Now it is time to end this problem, once and for all. Active installations: 20,000+

---

• Popup Builder – Create highly converting, mobile friendly marketing popups. – LFI to RCE
• Popup Builder – Create highly converting, mobile friendly marketing popups. – SQL Injection
  • Popup Builder is a Perfect solution for any WordPress website. With a wide range of WordPress popup types, conditions, and events (From Image Popup to Countdown popup, Exit Intent to GeoTargeting) Popup Builder helps you create high converting, promotional and informative popups, increase conversion rates and boost sales while reaching your marketing goals. Active installations: 200,000+

---

• Download Manager – Authenticated SQL Injection to Reflected Cross-Site Scripting (XSS)
  • WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. Use Passwords, User Roles to control access to your files, control downloads by speed or by putting a limit on download count per user, block bots or unwanted users or spammers using Captcha Lock or IP Block feature, you may also ask users to agree with your terms and conditions before they download. Active installations: 100,000+

---

• Database Backup for WordPress – SQL Injection
  • Backup your database instantly, send the backup via email, or schedule backups to run automatically. Database Backup for WordPress allows you to quickly back up your core WordPress database tables, and either download the backup as a gzipped file, or send it via email to an address you choose. Active installations: 100,000+

---

BRIEF: SQL Injections FEB 2022 is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

What is SQL Injections FEB 2022?

SQL injection is a web Security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access.

In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior. In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

What is the impact of an SQL Injections FEB 2022?

A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization’s systems, leading to a long-term compromise that can go unnoticed for an extended period.

What kind of SQL Injections are exploited?

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:
– Retrieving hidden data, where you can modify an SQL query to return additional results.
– Subverting application logic, where you can change a query to interfere with the application’s logic.
– UNION attacks, where you can retrieve data from different database tables.
– Examining the database, where you can extract information about the version and structure of the database.
– Blind SQL injection, where the results of a query you control are not returned in the application’s responses.

MANAGED WP/Woo Security: SQL Injections FEB 2022 Related Posts