CVE-2022-0949: 
WordPress vulnerability analysis and mitigation

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin (version before 6.930) contains a security vulnerability identified as CVE-2022-0949. The vulnerability was discovered and publicly disclosed on March 16, 2022, affecting the WordPress plugin 'stopbadbots'. This security issue was later patched in version 6.930 (WPScan).

The vulnerability is classified as an SQL injection (SQLI) with a CVSS score of 8.6 (high severity). The issue stems from improper sanitization and escaping of the fingerprint parameter in SQL statements, specifically through the stopbadbots_grava_fingerprint AJAX action. This vulnerability is accessible to unauthenticated users, making it particularly dangerous. The vulnerability falls under the OWASP Top 10 category A1: Injection and is classified as CWE-89 (WPScan).

As an unauthenticated SQL injection vulnerability, this security flaw could potentially allow attackers to manipulate the database queries, potentially leading to unauthorized access to sensitive data, modification of database contents, or execution of malicious database operations (WPScan).

The vulnerability has been fixed in version 6.930 of the Block Bad Bots plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan, CVE Mitre).