CVE-2022-3254 is a critical SQL Injection vulnerability affecting the WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds, specifically versions prior to 4.3. The vulnerability arises because the plugin fails to properly sanitize and escape certain parameters before incorporating them into SQL queries. This flaw is exploitable via an AJAX action that is accessible to unauthenticated users, but only when a specific premium module of the plugin is active. As a result, an attacker can craft malicious requests that inject arbitrary SQL code, potentially allowing them to read, modify, or delete data within the WordPress database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), and has a CVSS v3.1 base score of 9.8, indicating critical severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits have been reported in the wild, the ease of exploitation combined with the high impact makes this a significant threat. The vulnerability affects installations where the premium module is enabled, which may limit exposure somewhat, but many WordPress sites use premium plugins to extend functionality, increasing the potential attack surface. Given the widespread use of WordPress and the popularity of classified ads plugins, this vulnerability could be leveraged to compromise websites, steal sensitive user data, deface sites, or disrupt services.

For European organizations, this vulnerability poses a substantial risk, especially for businesses and community platforms relying on WordPress Classifieds Plugin for managing listings and advertisements. Exploitation could lead to unauthorized access to sensitive customer data, including personal information and business listings, violating GDPR requirements and potentially resulting in regulatory fines and reputational damage. The ability to alter or delete database content threatens data integrity and availability, potentially disrupting business operations and causing financial loss. Furthermore, compromised sites could be used as a launchpad for further attacks within corporate networks or to distribute malware to visitors. Small and medium enterprises (SMEs) and local classifieds platforms in Europe that utilize this plugin are particularly vulnerable due to limited cybersecurity resources. The critical nature of the vulnerability demands immediate attention to prevent exploitation that could lead to data breaches or service outages.

European organizations should immediately verify if they are using the WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds, especially versions prior to 4.3, and confirm whether the premium module is active. The primary mitigation is to update the plugin to version 4.3 or later, where the vulnerability is addressed. If an update is not immediately possible, organizations should consider disabling the premium module temporarily to block the attack vector. Additionally, implementing Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting the vulnerable parameters can reduce risk. Regularly auditing plugin usage and permissions, restricting plugin installations to trusted sources, and monitoring web server logs for unusual activity related to AJAX calls can help detect exploitation attempts. Backup procedures should be reviewed and tested to ensure rapid recovery in case of compromise. Finally, educating site administrators about the risks of outdated plugins and enforcing strict update policies will reduce exposure to similar vulnerabilities.