CVE-2021-3817
published 2021-12-09CVE-2021-3817: wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
37.82%
98.4th percentile
wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wbce | wbce_cms | < 1.5.2 | 1.5.2 |
| wbce | wbce_wbce_cms | >= unspecified < 1.5.2 | 1.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQLi payload in the POST body of the password-reset endpoint: look for URL-encoded single quote followed by comment-based whitespace bypass tokens (/**/) and user_id=1 in the email parameter targeting /wbce/admin/login/forgot/index.php ↗
- →Monitor POST requests to /wbce/admin/login/forgot/index.php with a Content-Type of application/x-www-form-urlencoded containing %27 (URL-encoded single quote) in the email field as an indicator of SQL injection exploitation attempts ↗
- →The exploit abuses the forgot-password flow to recover plaintext admin credentials via SQLi; alert on any password-reset email triggered for user_id=1 (the administrator account) from an external or unexpected source ↗
- →Google Dork can be used to identify exposed WBCE CMS instances: search for intext: "Way Better Content Editing" ↗
- ·The exploit targets WBCE CMS versions up to and including 1.5.1; versions beyond this may have patched the SQLi in the forgot-password endpoint ↗
- ·The attacker must control a catch-all email domain to receive the plaintext password reset email sent by the vulnerable application; the exploit author used a Namecheap domain with catch-all redirect ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165377/WBCE-CMS-1.5.1-Admin-Password-Reset.htmlhttps://github.com/wbce/wbce_cms/commit/6ca63f0cad5f0cd606fdb69a372f09b7d238f1d7https://huntr.dev/bounties/c330dc0d-220a-4b15-b785-5face4cf6ef7http://packetstormsecurity.com/files/165377/WBCE-CMS-1.5.1-Admin-Password-Reset.htmlhttps://github.com/wbce/wbce_cms/commit/6ca63f0cad5f0cd606fdb69a372f09b7d238f1d7https://huntr.dev/bounties/c330dc0d-220a-4b15-b785-5face4cf6ef7
2021-12-09
Published