CVE-2022-0784 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection in WordPress 'Title Experiments Free' plugin. 💥 **Consequences**: Attackers can steal data, modify content, or hijack admin accounts via unsanitized input.

🛡️ **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command. 🐛 **Flaw**: The `id` parameter in `wpex_titles` AJAX action is not escaped before SQL execution.

📦 **Product**: WordPress Plugin 'Title Experiments Free'. 📉 **Affected**: Versions **before 9.0.1**. ✅ **Fixed**: Version 9.0.1 and later.

🕵️ **Privileges**: **Unauthenticated** access required. 📂 **Impact**: Can obtain sensitive info, modify database data, or execute unauthorized admin operations.

⚡ **Threshold**: **LOW**. No login needed! The vulnerability is exposed via an AJAX action available to **anyone** on the internet.

🔓 **Exploit**: Yes. Public PoC exists via **Nuclei Templates** (ProjectDiscovery). Wild exploitation is highly likely due to ease of use.

🔍 **Check**: Scan for the plugin 'Title Experiments Free'. 🧪 **Test**: Send crafted SQL payloads to the `wpex_titles` AJAX endpoint with an `id` parameter.

🔧 **Fix**: Update the plugin to **version 9.0.1 or higher**. The developer has released a patch to sanitize the input.

🚫 **Workaround**: If you can't update, **disable or delete** the plugin immediately. 🛑 Block access to `wp-admin/admin-ajax.php` for this specific action if possible.

🔥 **Priority**: **CRITICAL**. Unauthenticated SQLi is a high-severity threat. Patch immediately to prevent data breaches and site compromise.