CVE-2022-3849 is a high-severity SQL Injection vulnerability affecting the WP User Merger WordPress plugin versions prior to 1.5.3. The vulnerability arises because the plugin fails to properly sanitize and escape user-supplied input before incorporating it into SQL queries. Specifically, parameters used in SQL statements are not adequately validated, allowing an authenticated user with at least admin privileges to inject malicious SQL code. This injection can lead to unauthorized data access, modification, or deletion within the WordPress database. Given that WordPress plugins operate with the privileges of the web server and database user, exploitation could compromise the confidentiality, integrity, and availability of the entire website and potentially other connected systems. The CVSS 3.1 base score of 8.8 reflects the network exploitable nature (AV:N), low attack complexity (AC:L), requirement for privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the common deployment of the WP User Merger plugin for managing multiple user accounts. Attackers who gain admin access through other means could leverage this flaw to escalate privileges or extract sensitive data. The lack of an official patch link suggests that users should upgrade to version 1.5.3 or later once available or apply vendor-recommended mitigations promptly.

For European organizations using WordPress websites with the WP User Merger plugin, this vulnerability could lead to severe consequences including data breaches involving personal data protected under GDPR, defacement or disruption of public-facing websites, and unauthorized access to internal systems if the compromised WordPress instance is integrated with other enterprise resources. The ability to execute arbitrary SQL commands can allow attackers to extract user credentials, modify user roles, or delete critical content, impacting business continuity and reputation. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly at risk due to the sensitive nature of their data and regulatory requirements. Additionally, exploitation could facilitate lateral movement within networks, increasing the scope of compromise. The vulnerability's exploitation requires admin-level access, which may limit initial attack vectors but also means that insider threats or compromised admin accounts could be leveraged effectively. Given the high impact on confidentiality, integrity, and availability, European entities must prioritize addressing this vulnerability to avoid regulatory penalties and operational disruptions.

1. Immediate upgrade to WP User Merger plugin version 1.5.3 or later where the vulnerability is fixed. 2. If an upgrade is not immediately possible, restrict admin access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Conduct a thorough audit of existing admin accounts and remove or disable any unnecessary or suspicious accounts. 4. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting WordPress plugins. 5. Regularly monitor WordPress logs for unusual database queries or admin activities that could indicate exploitation attempts. 6. Employ principle of least privilege for database users associated with WordPress to limit the potential damage of SQL injection. 7. Backup WordPress site and database frequently to enable rapid recovery in case of compromise. 8. Educate site administrators on secure plugin management and the risks of installing plugins from unverified sources.