Is CVE-2022-0948 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in Order Listener For Woocommerce – Play Sounds Instantly On New Orders

CVE-2022-0948

The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection

Vulnerability class: SQL Injection

EPSS: 0.688 (98.6th percentile) — read the EPSS interpretation.

Affected products

Unknown Order Listener For Woocommerce – Play Sounds Instantly On New Orders — versions 3.2.2

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

References

wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576 (x_refsource_MISC)
plugins.trac.wordpress.org/changeset/2707223 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2022-0948?: CVE-2022-0948 is a vulnerability in Order Listener For Woocommerce – Play Sounds Instantly On New Orders, classified under SQL Injection. Published 2022-05-09.
Is CVE-2022-0948 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.