CVE-2022-2269 – Website File Changes Monitor < 1.8.3 - Admin+ SQLi

https://notcve.org/view.php?id=CVE-2022-2269

The Website File Changes Monitor WordPress plugin before 1.8.3 does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manage_options capability (by default admins), leading to an SQL injection El plugin Website File Changes Monitor de WordPress versiones anteriores a 1.8.3, no sanea y escapa de la entrada del usuario antes de usarla en una sentencia SQL por medio de una acción disponible para usuarios con la capacidad manage_options (por defecto los administradores), conllevando a una inyección SQL The Website File Changes Monitor plugin for WordPress is vulnerable to SQL Injection via the ‘path' parameter in versions up to, and including, 1.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrative privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://wpscan.com/vulnerability/bb348c92-d7e3-4a75-98aa-dd1c463bfd65 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •