CVE-2022-0817: 
WordPress vulnerability analysis and mitigation

The BadgeOS WordPress plugin through version 3.7.0 contains an SQL Injection vulnerability (CVE-2022-0817) that was discovered in early 2022. The vulnerability affects the plugin's AJAX functionality where a parameter is not properly sanitized and escaped before being used in SQL statements (CVE Details, WPScan).

The vulnerability exists due to insufficient input validation when processing client requests through an AJAX action. The issue specifically involves the 'get-achievements' AJAX action where the user_id parameter is not properly sanitized. The vulnerability has a CVSS score of 8.6 (High) and is classified as an SQL Injection (SQLI) vulnerability falling under the OWASP Top 10 category A1: Injection and CWE-89 (WPScan, FortiGuard).

Successful exploitation of this vulnerability could allow remote attackers to add, view, delete, or modify data in the target system's database. The vulnerability is particularly severe as it can be exploited by unauthenticated users, potentially leading to full system compromise (FortiGuard).

The vulnerability was fixed in BadgeOS version 3.7.1, which removed the AJAX actions from being available to unauthenticated users. However, it's worth noting that the SQL injection vulnerability still exists in the code but is only exploitable by authenticated users after the update. The recommended action is to upgrade to version 3.7.1 or later (WPScan, FortiGuard).