Critical severityNVD Advisory· Published Mar 14, 2022· Updated Aug 2, 2024

Zero Spam < 5.2.11 - Admin+ SQL Injection

CVE-2022-0254

Description

The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Zero Spam WordPress plugin before 5.2.11 is vulnerable to SQL injection via unsanitized order and orderby parameters in the admin dashboard.

Vulnerability

The WordPress Zero Spam plugin versions prior to 5.2.11 fail to properly sanitize and escape the order and orderby parameters before incorporating them into a SQL statement within the admin dashboard's log display functionality [1][4]. This SQL injection vulnerability is present in the prepare_items method, where $_REQUEST['order'] was sanitized with sanitize_text_field (insufficient for SQL context) and $_REQUEST['orderby'] was used without proper SQL order-by validation [2]. The fix introduced in version 5.2.11 substitutes sanitize_key for order and sanitize_sql_orderby for orderby [2].

Exploitation

An attacker must be authenticated with administrative-level privileges to reach the admin dashboard page that renders the log table [4]. No special network position or user interaction beyond login is required. The attacker crafts an HTTP request to the affected admin page with malicious SQL injected into either the order or orderby parameter. The plugin directly interpolates this unsanitized input into a SQL query, allowing the attacker to manipulate the query structure [4].

Impact

Successful exploitation enables an authenticated administrator to perform SQL injection, potentially leading to unauthorized reading or modification of the WordPress database. This could result in disclosure of sensitive information, corruption of user data, or privilege escalation within the database context [1][4]. The injected SQL operates under the privileges of the database user used by WordPress, which typically has full access to the WordPress tables.

Mitigation

The vulnerability is fixed in Zero Spam plugin version 5.2.11, released on 2022-02-18 [4]. Site administrators should upgrade to this version or later immediately. As a workaround, if upgrading is not possible, access to the admin dashboard for non-essential users should be restricted, though this does not eliminate the risk from administrative accounts. Repeated exploitation attempts may be logged; monitoring for anomalous SQL errors or query patterns is advised.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bmarshall511/wordpress_zero_spamPackagist	< 5.2.13	5.2.13

Affected products

WordPress/Hero Slider Wordpress Slider Plugincpe-rescue
Package: https://wordpress.org/plugins/hero-slider-wordpress-slider-plugin
WordPress/Zero Spamllm-fuzzy
Range: < 5.2.11
Package: https://wordpress.org/plugins/zero-spam
ghsa-coords
pkg:composer/bmarshall511/wordpress_zero_spam
Range: < 5.2.13

Patches

49723f696f1e

fix(security): fixes the missing orderby parameter sanitization in the admin dashboard

https://github.com/Highfivery/zero-spam-for-wordpressBen MarshallFeb 17, 2022via ghsa

commit

8 files changed · +19 −14

core/admin/tables/class-blockedlocations.php+1 −1 modified

@@ -138,7 +138,7 @@ public function prepare_items( $args = array() ) {
 		$per_page     = 50;
 		$current_page = $this->get_pagenum();
 		$offset       = $per_page * ( $current_page - 1 );
-		$order        = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : 'desc';
+		$order        = ! empty( $_REQUEST['order'] ) ? sanitize_key( $_REQUEST['order'] ) : 'desc';
 		$orderby      = ! empty( $_REQUEST['orderby'] ) ? sanitize_sql_orderby( $_REQUEST['orderby'] ) : 'date_added';
 
 		$log_type   = ! empty( $_REQUEST['type'] ) ? sanitize_text_field( $_REQUEST['type'] ) : false;

core/admin/tables/class-blockedtable.php+1 −1 modified

@@ -130,7 +130,7 @@ public function prepare_items( $args = array() ) {
 		$per_page     = 50;
 		$current_page = $this->get_pagenum();
 		$offset       = $per_page * ( $current_page - 1 );
-		$order        = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : 'desc';
+		$order        = ! empty( $_REQUEST['order'] ) ? sanitize_key( $_REQUEST['order'] ) : 'desc';
 		$orderby      = ! empty( $_REQUEST['orderby'] ) ? sanitize_sql_orderby( $_REQUEST['orderby'] ) : 'date_added';
 
 		$log_type   = ! empty( $_REQUEST['type'] ) ? sanitize_text_field( $_REQUEST['type'] ) : false;

core/admin/tables/class-logtable.php+2 −2 modified

@@ -152,9 +152,9 @@ public function prepare_items() {
 		$current_page = $this->get_pagenum();
 		$offset       = 1 === $current_page ? false : $per_page * $current_page;
 		// @codingStandardsIgnoreLine
-		$order = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['order'] ) ) : 'desc';
+		$order = ! empty( $_REQUEST['order'] ) ? sanitize_key( wp_unslash( $_REQUEST['order'] ) ) : 'desc';
 		// @codingStandardsIgnoreLine
-		$orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['orderby'] ) ) : 'date_recorded';
+		$orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_sql_orderby( wp_unslash( $_REQUEST['orderby'] ) ) : 'date_recorded';
 
 		// @codingStandardsIgnoreLine
 		$log_type   = ! empty( $_REQUEST['type'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['type'] ) ) : false;

core/class-settings.php+1 −1 modified

@@ -342,7 +342,7 @@ public static function get_settings( $key = false ) {
 			'type'    => 'html',
 			'html'    => sprintf(
 				wp_kses(
-					/* translators: %s: url */
+					/* translators: %s: admin URL to regenerate the Zero Spam honeypot ID */
 					__( '<a href="%s" class="button">Regenerate Honeypot ID</a>', 'zerospam' ),
 					array(
 						'a' => array(

includes/class-db.php+5 −4 modified

@@ -282,11 +282,12 @@ public static function query( $table, $args = array() ) {
 		}
 
 		if ( ! empty( $args['orderby'] ) ) {
-			$sql .= ' ORDER BY ' . $args['orderby'];
-		}
+			$orderby = $args['orderby'];
+			if ( ! empty( $args['order'] ) ) {
+				$orderby = ' ' . $args['order'];
+			}
 
-		if ( ! empty( $args['order'] ) ) {
-			$sql .= ' ' . $args['order'];
+			$sql .= ' ORDER BY ' . sanitize_sql_orderby( $orderby );
 		}
 
 		if ( ! empty( $args['limit'] ) ) {

modules/class-zerospam.php+1 −1 modified

@@ -112,7 +112,7 @@ public function settings( $settings, $options ) {
 			'title'       => __( 'License Key', 'zerospam' ),
 			'desc'        => sprintf(
 				wp_kses(
-					/* translators: %1$s: Replaced with the Zero Spam URL, %2$s: Replaced with the Zero Spam subscription URL */
+					/* translators: 1: the zerospam.org URL 2: the zerospam.org premium product URL */
 					__( 'Enter your <a href="%1$s" target="_blank" rel="noopener noreferrer">Zero Spam</a> license key or define it in <code>wp-config.php</code>, using the constant <code>ZEROSPAM_LICENSE_KEY</code> to enable enhanced protection. Don\'t have an license key? <a href="%2$s" target="_blank" rel="noopener noreferrer"><strong>Get one now!</strong></a>', 'zerospam' ),
 					array(
 						'strong' => array(),

readme.txt+6 −2 modified

@@ -3,9 +3,9 @@ Contributors: bmarshall511
 Tags: protection, firewall, security, spam, spam blocker
 Donate link: https://www.zerospam.org/subscribe/
 Requires at least: 5.2
-Tested up to: 5.8.3
+Tested up to: 5.9
 Requires PHP: 7.3
-Stable tag: 5.2.10
+Stable tag: 5.2.11
 License: GNU GPLv3
 License URI: https://choosealicense.com/licenses/gpl-3.0/
 
@@ -103,6 +103,10 @@ If hosting with Pantheon, see their [known issues page](https://pantheon.io/docs
 
 == Changelog ==
 
+= v.5.2.11
+
+* fix(security): fixes the missing orderby parameter sanitization in the admin dashboard
+
 = v5.2.10 =
 
 * fix(security): fixes the missing parameter sanitization in the admin dashboard, resolves #301

wordpress-zero-spam.php+2 −2 modified

@@ -13,7 +13,7 @@
  * Plugin Name:       WordPress Zero Spam
  * Plugin URI:        https://www.highfivery.com/projects/zero-spam/
  * Description:       Tired of all the worthless and bloated WordPress anti-spam & security plugins? WordPress Zero Spam makes blocking spam &amp; malicious activity a cinch. <strong>Just install, activate, configure, and say goodbye to spam.</strong>
- * Version:           5.2.10
+ * Version:           5.2.11
  * Requires at least: 5.2
  * Requires PHP:      7.3
  * Author:            Highfivery LLC
@@ -31,7 +31,7 @@
 define( 'ZEROSPAM', __FILE__ );
 define( 'ZEROSPAM_PATH', plugin_dir_path( ZEROSPAM ) );
 define( 'ZEROSPAM_PLUGIN_BASE', plugin_basename( ZEROSPAM ) );
-define( 'ZEROSPAM_VERSION', '5.2.10' );
+define( 'ZEROSPAM_VERSION', '5.2.11' );
 
 if ( defined( 'ZEROSPAM_DEVELOPMENT_URL' ) ) {
 	define( 'ZEROSPAM_URL', ZEROSPAM_DEVELOPMENT_URL );

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-pq2f-3fg3-rw99ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-0254ghsaADVISORY
github.com/Highfivery/zero-spam-for-wordpress/commit/49723f696f1e2f2a76ac89375910bb036a4895f3ghsaWEB
plugins.trac.wordpress.org/changeset/2660225ghsax_refsource_CONFIRMWEB
plugins.trac.wordpress.org/changeset/2680906ghsax_refsource_CONFIRMWEB
wpscan.com/vulnerability/ae54681f-7b89-408c-b0ee-ba4a520db997ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000