cbcvebase.
CVE-2020-20300
published 2020-12-18

CVE-2020-20300: SQL injection vulnerability in the wp_where function in WeiPHP 5.0.

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.75%
94.5th percentile
SQL injection vulnerability in the wp_where function in WeiPHP 5.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
weiphpweiphp

Detection & IOCsextracted from sources · hover to see the quote

url/public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5('999999'),0x7e),1)--+
commanduid[0]=exp&uid[1]=) and updatexml(1,concat(0x7e,md5('999999'),0x7e),1)--+
  • Send a POST request to /public/index.php/home/index/bind_follow/ with parameters publicid=1, is_ajax=1, uid[0]=exp, and uid[1] containing an updatexml-based error-based SQLi payload; a HTTP 500 response containing the partial MD5 hash '52c69e3a57331081823331c4e69d3f2' in the body confirms exploitation.
  • Shodan and FOFA fingerprints for identifying exposed WeiPHP 5.0 instances: search for http.html containing 'WeiPHP5.0', 'weiphp', or 'weiphp5.0'; FOFA body matches 'weiphp' or 'weiphp5.0'.
  • The injection point is the uid parameter passed to the wp_where function; the exp operator combined with updatexml error-based injection is the attack vector via a POST body.
  • ·The exploit requires no authentication (PR:N) and targets the bind_follow endpoint with is_ajax=1; the vulnerability is unauthenticated and network-accessible.
  • ·The detection signature '52c69e3a57331081823331c4e69d3f2' is the partial MD5 of '999999' as returned in the updatexml error output; this is specific to the PoC payload and may not match if the attacker uses a different value.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.