CVE-2022-45278 Jizhicms v2.3.3 contains a SQL injection vulnerability.

If the user was able to inject data into the get_fields.html file, an attacker could exploit the SQL injection vulnerability and potentially acquire sensitive information.

It is recommended that website administrators review the source code of all installed plugins to ensure there are no vulnerabilities. Vulnerabilities are frequently fixed with the next plugin version.

It is also recommended that the WordPress configuration be inspected to ensure there are no misconfigurations that could lead to information leaks.

Jizhicms v2.3.3 also has a backdoor vulnerability via the /backend/jizhicms/js/main.js script. If the user has the administrative privileges, the attacker could add a new file with a custom name and contents.

Common Vulnerabilities and Exposures

A common vulnerability is a backdoor vulnerability. If the user has the administrative privileges, they could create a new file with a custom name and contents.
The security of WordPress sites depends largely on how they are configured. One important point to keep in mind is that many of these configurations are done via plugins. More than half of all websites use at least one plugin and it’s recommended that website administrators review the source code of all installed plugins to ensure there are no vulnerabilities.

Timeline

Published on: 11/23/2022 21:15:00 UTC
Last modified on: 11/28/2022 19:35:00 UTC

References