CVE-2022-3865 is a high-severity SQL Injection vulnerability affecting the WP User Merger WordPress plugin versions prior to 1.5.3. The vulnerability arises because the plugin does not properly sanitize and escape user-supplied input before incorporating it into SQL queries. Specifically, parameters used in SQL statements are vulnerable to injection attacks. This flaw can be exploited by any authenticated user with at least admin-level privileges on the WordPress site. Exploitation does not require user interaction beyond having the necessary privileges. The vulnerability allows an attacker to execute arbitrary SQL commands against the underlying database, potentially leading to unauthorized data disclosure, data modification, or deletion, and even full compromise of the WordPress site’s backend data. The CVSS v3.1 base score is 8.8, reflecting the network attack vector, low attack complexity, required privileges (low), no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported in the wild as of the publication date, the vulnerability is critical enough to warrant immediate attention. The plugin’s role in merging WordPress user accounts suggests that the affected SQL queries likely involve user data tables, increasing the risk of sensitive user information exposure or manipulation. Since the vulnerability requires admin privileges, it is primarily a risk in environments where admin accounts may be compromised or where multiple users have admin access, such as multi-admin WordPress installations or managed hosting environments.

For European organizations using WordPress sites with the WP User Merger plugin, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive user data, including personally identifiable information (PII), which is subject to strict data protection regulations such as the GDPR. Data integrity could be compromised by unauthorized modification or deletion of user accounts, potentially disrupting business operations or causing reputational damage. Availability impacts could arise if attackers delete or corrupt database records, leading to service outages. Organizations in sectors with high regulatory scrutiny—such as finance, healthcare, and government—face increased compliance risks and potential fines. Additionally, attackers leveraging this vulnerability could pivot to further compromise the hosting environment or use the site as a foothold for broader network attacks. Given the plugin’s niche functionality, the impact is concentrated on sites that specifically use WP User Merger, but for those sites, the risk is substantial.

1. Immediate update: Organizations should upgrade the WP User Merger plugin to version 1.5.3 or later, where the vulnerability is patched. 2. Privilege review: Conduct a thorough audit of WordPress user roles and permissions to minimize the number of admin accounts and ensure only trusted personnel have such access. 3. Web application firewall (WAF): Deploy or tune WAF rules to detect and block SQL injection patterns targeting the plugin’s endpoints, especially those involving user merging functionality. 4. Database monitoring: Implement database activity monitoring to detect anomalous queries indicative of SQL injection attempts. 5. Access controls: Restrict administrative access to WordPress dashboards via IP whitelisting or VPN to reduce exposure. 6. Backup and recovery: Maintain regular, tested backups of WordPress databases to enable rapid recovery in case of data corruption or loss. 7. Security plugins: Use WordPress security plugins that can detect suspicious admin activities or unauthorized changes to plugins. 8. Incident response planning: Prepare for potential exploitation scenarios by establishing clear response procedures including forensic analysis and notification obligations under GDPR.