CVE-2015-9323
published 2019-08-16CVE-2015-9323: The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
46.13%
98.7th percentile
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| duckdev | 404_to_301 | < 2.0.3 | 2.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
commandsqlmap -u "http://<target>:<port><path>wp-admin/admin.php?page=i4t3-logs&orderby=1" --level 2 --risk 2 --cookie="<cookie>" -p orderby -v0↗
yara
404 to 301 =7' - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains(body, "404-to-301")' condition: and # digest: 4a0a00473045022076e7faa4ba20bf8952193cd6e0a24aa75b384140e72da17212d837b5ca2c8908022100ad62c0634a90123d8334f413dce7744617ebd52c63e679f4eac976df5078e2f9:922c64590222798bb761d5b6d8e72950
- →The SQL injection parameter is `orderby` in the GET request to `/wp-admin/admin.php?page=i4t3-logs`. Monitor for anomalous or unsanitized values in this parameter. ↗
- →Detect presence of the vulnerable plugin by checking HTTP responses for the string `404-to-301` in the body with content-type `text/html` and status code 200.
- →The exploit uses sqlmap with `--level 2 --risk 2` and targets the `-p orderby` parameter specifically; WAF/IDS rules should flag sqlmap fingerprints against this endpoint. ↗
- ·Exploitation is authenticated — an attacker must have valid WordPress credentials before triggering the SQL injection via the admin panel. ↗
- ·The vulnerability affects plugin versions <= 2.0.2; version 2.0.3 and above are patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
exploitdb·2022-02-02·CVSS 9.8
CVE-2015-9323 [CRITICAL] Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
---
# Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
# Date 30.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/
# Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip
# Version: <= 2.0.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2015-9323
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md
'''
Description:
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
'''
banner = '''
.o88b. db db d88888b .d888b. .d88b. db ooooo .d888b. d8888b. .d888b. d8888b.
d8P Y8 88 88 88' VP `8D .8P 88. o88 8P~~~~ 88' `8D VP `8D VP `8D VP `8D
8P Y8 8
Nuclei
404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection
nuclei·CVSS 9.8
CVE-2015-9323 [CRITICAL] 404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection
404 to 301 =7'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "404-to-301")'
condition: and
# digest: 4a0a00473045022076e7faa4ba20bf8952193cd6e0a24aa75b384140e72da17212d837b5ca2c8908022100ad62c0634a90123d8334f413dce7744617ebd52c63e679f4eac976df5078e2f9:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2019-08-16
Published