CVE CyberSecurity Database News

CVE-2022-3848 - SQL Injection Vulnerability in WP User Merger WordPress Plugin Exploited by Admin Users

Poster -

The WordPress ecosystem is huge, and keeping plugins secure can be a challenge. One major security flaw that got attention in 2022 was CVE-2022-3848, found in the WP User Merger plugin. This plugin lets you merge multiple WordPress user accounts into one. But before version 1.5.3, it had a nasty SQL Injection bug. This post breaks down the vulnerability, shows you some example code, and explains the exploit using easy-to-understand language.

What is CVE-2022-3848?

CVE-2022-3848 is an SQL Injection vulnerability in the WP User Merger plugin — if you have a version older than 1.5.3, your site could be at risk.

Vulnerable versions: All before 1.5.3

- Vulnerable code: The plugin failed to properly sanitize and escape user-input parameters before plugging them into SQL queries.

Who can exploit: Any logged-in user with an administrator role.

- What’s the risk: Attackers could tweak SQL statements to read sensitive data, change the database, or even delete stuff.

How Did the Vulnerability Happen?

SQL Injection vulnerabilities occur when plugins use user input directly in SQL queries without sanitizing or escaping, opening the door for attackers to change the intent of a query.

Let’s look at a simplified, vulnerable snippet similar to the plugin’s real code

// BAD: Vulnerable code
$user_id = $_POST['user_id'];
$result = $wpdb->get_results("SELECT * FROM $wpdb->users WHERE ID = $user_id");

If $user_id comes straight from a web form and isn’t sanitized or escaped, a malicious admin can inject SQL into it.

Suppose an admin user opens the “Merge Users” page and sends

user_id=1 OR 1=1

The query becomes

SELECT * FROM wp_users WHERE ID = 1 OR 1=1

A more destructive input could be

user_id=1; DROP TABLE wp_users;


Depending on database configuration, this could delete your entire users table.

How to Fix (The Patch)

Proper protection is to sanitize and use prepared statements. Starting with version 1.5.3, the plugin code changed to:

// GOOD: Safe code
$user_id = intval($_POST['user_id']); // sanitize input as integer
$query = $wpdb->prepare(
    "SELECT * FROM $wpdb->users WHERE ID = %d",
    $user_id
);
$result = $wpdb->get_results($query);


Here, intval() ensures an integer, and $wpdb->prepare() escapes everything safely.

Real-life Impact

Though only *admins* could exploit this, there are cases where compromised admin accounts are used by attackers to destroy a site, exfiltrate data, or even plant backdoors.

References and More Information

- Official Plugin Page: WP User Merger
- Patch Release: Version 1.5.3 Changelog
- Security Advisory: WPScan CVE-2022-3848 Advisory
- OWASP SQL Injection Guide

Regularly audit users and roles.

- Back up your database before installing/updating plugins.

Conclusion

CVE-2022-3848 was a classic example of why sanitizing and escaping user input is vital in WordPress plugins — even admin-only features. If you use WP User Merger, update it today and keep your site secure. And remember, never trust user input, even when it's from admins!

If you want more details or need help, check the official advisory or leave a comment below. Stay safe!

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 12/02/2022 19:48:00 UTC