CVE-2020-13640
published 2020-06-18CVE-2020-13640: A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.71%
95.8th percentile
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gvectors | wpdiscuz | <= 5.3.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherorder=96) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END)=1 ASC #
sigma
matchers: type: word, part: body, words: '"comment_list":null'
- →Monitor HTTP requests to WordPress wpdLoadMoreComments AJAX action for SQL injection payloads in the 'order' parameter, specifically containing subqueries referencing information_schema.tables. ↗
- →A successful blind SQL injection probe returns a JSON response body containing '"comment_list":null', which can be used as a detection signal in WAF or IDS rules.
- →The exploit payload uses a boolean-based blind SQLi pattern with THEN/ELSE and a subselect from information_schema.tables injected into the 'order' POST parameter of the wpdLoadMoreComments request.
- ·Only wpDiscuz plugin versions 5.3.5 and earlier are affected; version 7.x is explicitly NOT vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p3wm-3hr8-rqrv: A SQL injection issue in the gVectors wpDiscuz plugin 5
ghsa_unreviewed·2022-05-24
CVE-2020-13640 [HIGH] CWE-89 GHSA-p3wm-3hr8-rqrv: A SQL injection issue in the gVectors wpDiscuz plugin 5
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)
VulnCheck
gvectors wpdiscuz Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-13640 [CRITICAL] gvectors wpdiscuz Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
gvectors wpdiscuz Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)
Affected: gvectors wpdiscuz
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-5-3-5-unauthenticated-sql-injection-sqli-vulnerability; https://app.crowdsec.net/cti/cve-explorer/CVE-2020-13640
No detection rules found.
Nuclei
wpDiscuz <= 5.3.5 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-13640 [CRITICAL] wpDiscuz <= 5.3.5 - SQL Injection
wpDiscuz 96) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END)=1 ASC #&lastParentId=&postId={{postid}}
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- 'comment_list":" 97) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END)=1 ASC #&lastParentId=&postId={{postid}}
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- '"comment_list":null'
condition: and
# digest: 490a0046304402201b9c227e1778928e12649330e231521e43e16d4dda9634271de1cfc3ef7f16be02206767a6a37d63273787f6c5b3c936364d5e12c4fff929d21037d476e2cf3e10b5:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2020/07/06/1https://plugins.trac.wordpress.org/browser/wpdiscuz/tags/5.3.6https://plugins.trac.wordpress.org/changeset/2323200https://wordpress.org/plugins/wpdiscuz/#developershttps://wpdiscuz.com/community/news/security-vulnerability-issue-in-5-3-5-please-udate/http://www.openwall.com/lists/oss-security/2020/07/06/1https://plugins.trac.wordpress.org/browser/wpdiscuz/tags/5.3.6https://plugins.trac.wordpress.org/changeset/2323200https://wordpress.org/plugins/wpdiscuz/#developershttps://wpdiscuz.com/community/news/security-vulnerability-issue-in-5-3-5-please-udate/
2020-06-18
Published
Exploited in the wild