一、 漏洞 CVE-2024-9796 基础信息
漏洞信息
# WP-Advanced-Search < 3.3.9.2 - 未经认证的SQL注入漏洞
## 漏洞概述
WP-Advanced-Search WordPress插件在3.3.9.2之前的版本中未对`t`参数进行清理和转义,导致未经认证的用户可以执行SQL注入攻击。
## 影响版本
WP-Advanced-Search WordPress插件 3.3.9.2之前的版本
## 漏洞细节
插件在使用`t`参数构建SQL语句之前,没有进行必要的清理和转义处理,这使得攻击者可以通过操纵该参数向数据库注入恶意SQL代码。
## 漏洞影响
允许未经认证的用户执行SQL注入攻击,可能导致数据泄露、数据损坏或数据库操控等严重安全问题。
提示
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
二、漏洞 CVE-2024-9796 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection | https://github.com/RandomRobbieBF/CVE-2024-9796 | POC详情 |
| 2 | WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection | https://github.com/issamiso/CVE-2024-9796 | POC详情 |
| 3 | WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection | https://github.com/issamjr/CVE-2024-9796 | POC详情 |
| 4 | Vulnerable website to the CVE-2024-9796 | https://github.com/viniciuslazzari/CVE-2024-9796 | POC详情 |
| 5 | The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-9796.yaml | POC详情 |
| 6 | CVE-2024-9796 WP-Advanced-Search < 3.3.9.2 - Unauthenticated SQL Injection. Poc. | https://github.com/BwithE/CVE-2024-9796 | POC详情 |
三、漏洞 CVE-2024-9796 的情报信息
-
标题: WP-Advanced-Search < 3.3.9.2 – Unauthenticated SQL Injection | CVE 2024-9796 | Plugin Vulnerabilities -- 🔗来源链接
标签: exploit vdb-entry technical-description
神龙速读
- https://nvd.nist.gov/vuln/detail/CVE-2024-9796
四、漏洞 CVE-2024-9796 的评论
暂无评论